From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020809 Description of problem: The pam_tally docs say that using even_deny_root_account should lock the root account even the invalid password attempt is greater than the set deny limit. This parameter shows up as an unknown option in /var/log/messages Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Edit /etc/pam.d/system-auth to include these lines: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth required /lib/security/pam_shells.so auth required /lib/security/pam_pwdb.so auth required /lib/security/pam_tally.so onerr=fail no_magic_root even_deny_root_account account required /lib/security/pam_tally.so deny=5 reset no_magic_root 2. Try to log in as root from either a 'su' or from the console 6 or more times with an invalid password. 3. Try logging in again using the proper password. It works? Actual Results: I was able to log in even though the root account should have been locked out. Expected Results: root should not be able to log in. Additional info: /var/log/messages shows: Sep 18 11:06:45 iiosb su(pam_unix)[520]: authentication failure; logname=drfickle uid=506 euid=0 tty= ruser=drfickle rhost= user=drfickle Sep 18 11:06:47 iiosb pam_tally[520]: pam_tally: unknown option; even_deny_root_account pam-0.75-40
Have you tried the latest pam errata? Does that behave similarly?
It looks like this was a PEBCAK issue. I must have misinterpreted the documentation. I am now using pam-0.75-46.8.0 and it is working proper. Here are the relevant sections of /etc/pam.d/system-auth auth required /lib/security/pam_tally.so onerr=fail no_magic_root auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_tally.so deny=5 reset no_magic_root even_deny_root_account account required /lib/security/pam_unix.so I had put even_deny_root_account in the auth section instead of account. Using the above configuration it works as expected. Thanks.