Red Hat Bugzilla – Bug 75374
fail_locktime in faillog not working
Last modified: 2015-01-07 19:00:56 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.79 [en] (X11; U; Linux 2.4.18-3 i686)
Description of problem:
There is a disconect with the documentation for pam_tally and faillog. The doc
for pam_tally indicates that a user account may be locked out for the faillog
parameter, fail_lock_time. But faillog man pages do not mention this
parameter. 'faillog -h' prints a brief description of usage indicating that the
-l swich is used to set lock times. I can see the counter count down, but when
it reaches zero the account is not re-enabled as expected.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. add these lines to /etc/pam.d/login
auth required /lib/security/pam_tally.so no_magic_root
account required /lib/security/pam_tally.so deny=5 no_magic_root
2. establish faillog file
chmod 644 /var/log/faillog
3. set lock time to 10 seconds for username
faillog -u username -l 10
4. try to login with the username and wrong password for 5 times.
wait for 11 seconds, then try again but with correct password.
Actual Results: Account should be enabled.
Expected Results: The fail counter should be reset, but account is still
There seems to be a hole in the docs with reguard to fail_locktime.
The faillog utility has a switch, -m, which sets the maximum of tries before the
account is locked. This is also set with they deny switch in pam_tally. I
found that the -m switch in faillog was ineffective.
Should the faillog -m switch override pam_tally? The docs are unclear.
AFAIK, the fail_locktime should work like this: If you set it for for
example 30s then you won't be able to log in for 30s after the last
Maybe it doesn't work anyway but it should with the patch for bug 60930.
*** This bug has been marked as a duplicate of 60930 ***