From Bugzilla Helper: User-Agent: Mozilla/4.79 [en] (X11; U; Linux 2.4.18-3 i686) Description of problem: There is a disconect with the documentation for pam_tally and faillog. The doc for pam_tally indicates that a user account may be locked out for the faillog parameter, fail_lock_time. But faillog man pages do not mention this parameter. 'faillog -h' prints a brief description of usage indicating that the -l swich is used to set lock times. I can see the counter count down, but when it reaches zero the account is not re-enabled as expected. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. add these lines to /etc/pam.d/login auth required /lib/security/pam_tally.so no_magic_root account required /lib/security/pam_tally.so deny=5 no_magic_root 2. establish faillog file touch /usr/log/faillog chmod 644 /var/log/faillog 3. set lock time to 10 seconds for username faillog -u username -l 10 4. try to login with the username and wrong password for 5 times. wait for 11 seconds, then try again but with correct password. Actual Results: Account should be enabled. Expected Results: The fail counter should be reset, but account is still disabled. There seems to be a hole in the docs with reguard to fail_locktime. Additional info: The faillog utility has a switch, -m, which sets the maximum of tries before the account is locked. This is also set with they deny switch in pam_tally. I found that the -m switch in faillog was ineffective. Should the faillog -m switch override pam_tally? The docs are unclear.
AFAIK, the fail_locktime should work like this: If you set it for for example 30s then you won't be able to log in for 30s after the last unsuccessful attempt. Maybe it doesn't work anyway but it should with the patch for bug 60930. *** This bug has been marked as a duplicate of 60930 ***