Hide Forgot
Description of problem: pam_tally2.so failures are not resetting upon successful login Version-Release number of selected component (if applicable): 1.1.1-8.el6 How reproducible: Always Steps to Reproduce: 1.Here's my system-auth: auth required pam_env.so auth required pam_tally2.so onerr=fail deny=10 unlock_time=900 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so 2. Purposely borking logins causes pam_tally2.so to increase the failed login attempts [root@somehost ~]# pam_tally2 -u smcbrien Login Failures Latest failure From smcbrien 6 06/13/11 10:25:46 /dev/pts/1 3. However after a successful login I expect to see the count return to a 0 since I have pam_tally2.so listed in the 'account' rules. But no. [root@somehost ~]# pam_tally2 -u smcbrien Login Failures Latest failure From smcbrien 6 06/13/11 10:25:46 /dev/pts/1 Actual results: Unsuccessful logins are never cleaned upon a successful login. Expected results: A successful login should wipe out any failed login attempts, assuming the user is under the deny=limit set in the auth rule Additional info:
I cannot reproduce this behavior, it resets the tally count normally on my testing install. What kind of login do you try? The text console login or gdm, or ?
I'm using ssh to login. I see my problem. In RHEL6, sshd does not use system-auth, it uses password-auth, which doesn't have my pam_tally2.so rules in it. False alarm. Any reason to move away from system-auth? -Scott
system-auth integrates modules that are usable on local system only - such as the pam_fprintd in your configuration or pam_pkcs11 for smartcards. SSHD cannot use these modules. See also man system-auth-ac.