Bug 75374 - fail_locktime in faillog not working
fail_locktime in faillog not working
Status: CLOSED DUPLICATE of bug 60930
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2002-10-07 16:20 EDT by Need Real Name
Modified: 2015-01-07 19:00 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-21 09:08:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2002-10-07 16:20:12 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.79 [en] (X11; U; Linux 2.4.18-3 i686)

Description of problem:
There is a disconect with the documentation for pam_tally and faillog.  The doc
for pam_tally indicates that a user account may be locked out for the faillog
parameter, fail_lock_time.  But faillog man pages do not mention this
parameter.  'faillog -h' prints a brief description of usage indicating that the
-l swich is used to set lock times.   I can see the counter count down, but when
it reaches zero the account is not re-enabled as expected.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  add these lines to /etc/pam.d/login
 auth    required  /lib/security/pam_tally.so  no_magic_root
 account required  /lib/security/pam_tally.so  deny=5 no_magic_root

2. establish faillog file

   touch     /usr/log/faillog
   chmod 644 /var/log/faillog
3.  set lock time to 10 seconds for username 

    faillog -u username -l 10

4.  try to login with the username and wrong password for 5 times. 
    wait for 11 seconds, then try again but with correct password.


Actual Results:  Account should be enabled.

Expected Results:  The fail counter should be reset, but account is still
There seems to be a hole in the docs with reguard to fail_locktime.

Additional info:

The faillog utility has a switch, -m, which sets the maximum of tries before the
account is locked.  This is also set with they deny switch in pam_tally.  I
found that the -m switch in faillog was ineffective.
Should the faillog -m switch override pam_tally?  The docs are unclear.
Comment 1 Tomas Mraz 2004-09-21 09:04:28 EDT
AFAIK, the fail_locktime should work like this: If you set it for for
example 30s then you won't be able to log in for 30s after the last
unsuccessful attempt.

Maybe it doesn't work anyway but it should with the patch for bug 60930.

*** This bug has been marked as a duplicate of 60930 ***

Note You need to log in before you can comment on or make changes to this bug.