1PAM_TALLY2(8) Linux-PAM Manual PAM_TALLY2(8)
2
6 pam_tally2 - The login counter (tallying) module
7
9 pam_tally2.so [file=/path/to/counter] [onerr=[fail|succeed]]
10 [magic_root] [even_deny_root] [deny=n] [lock_time=n]
11 [unlock_time=n] [root_unlock_time=n] [serialize] [audit]
12 [silent] [no_log_info] [debug]
13 pam_tally2 [--file /path/to/counter] [--user username] [--reset[=n]]
15 [--quiet]
16
18 This module maintains a count of attempted accesses, can reset count on
19 success, can deny access if too many attempts fail.
20 pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former
22 is the PAM module and the latter, a stand-alone program. pam_tally2 is
23 an (optional) application which can be used to interrogate and
24 manipulate the counter file. It can display users´ counts, set
25 individual counts, or clear all counts. Setting artificially high
26 counts may be useful for blocking users without changing their
27 passwords. For example, one might find it useful to clear all counts
28 every midnight from a cron job.
29 Normally, failed attempts to access root will not cause the root
31 account to become blocked, to prevent denial-of-service: if your users
32 aren´t given shell accounts and root may only login via su or at the
33 machine console (not telnet/rsh, etc), this is safe.
34
36 GLOBAL OPTIONS
37 This can be used for auth and account module types.
38 onerr=[fail|succeed]
40 If something weird happens (like unable to open the file),
41 return with PAM_SUCCESS if onerr=succeed is given, else with
42 the corresponding PAM error code.
43 file=/path/to/counter
45 File where to keep counts. Default is /var/log/tallylog.
46 audit
48 Will log the user name into the system log if the user is not
49 found.
50 silent
52 Don´t print informative messages.
53 no_log_info
55 Don´t log informative messages via syslog(3).
56 debug
58 Always log tally count when it is incremented as a debug level
59 message to the system log.
60 AUTH OPTIONS
62 Authentication phase first increments attempted login counter and
63 checks if user should be denied access. If the user is
64 authenticated and the login process continues on call to
65 pam_setcred(3) it resets the attempts counter.
66 deny=n
68 Deny access if tally for this user exceeds n.
69 lock_time=n
71 Always deny for n seconds after failed attempt.
72 unlock_time=n
74 Allow access after n seconds after failed attempt. If this
75 option is used the user will be locked out for the specified
76 amount of time after he exceeded his maximum allowed attempts.
77 Otherwise the account is locked until the lock is removed by a
78 manual intervention of the system administrator.
79 magic_root
81 If the module is invoked by a user with uid=0 the counter is
82 not incremented. The sysadmin should use this for user launched
83 services, like su, otherwise this argument should be omitted.
84 no_lock_time
86 Do not use the .fail_locktime field in /var/log/faillog for
87 this user.
88 even_deny_root
90 Root account can become unavailable.
91 root_unlock_time=n
93 This option implies even_deny_root option. Allow access after n
94 seconds to root account after failed attempt. If this option is
95 used the root user will be locked out for the specified amount
96 of time after he exceeded his maximum allowed attempts.
97 serialize
99 Serialize access to the tally file using locks. This option
100 might be used only for non-multithreaded services because it
101 depends on the fcntl locking of the tally file. Also it is a
102 good idea to use this option only in such configurations where
103 the time between auth phase and account or setcred phase is not
104 dependent on the authenticating client. Otherwise the
105 authenticating client will be able to prevent simultaneous
106 authentications by the same user by simply artificially
107 prolonging the time the file record lock is held.
108 ACCOUNT OPTIONS
110 Account phase resets attempts counter if the user is not magic
111 root. This phase can be used optionally for services which don´t
112 call pam_setcred(3) correctly or if the reset should be done
113 regardless of the failure of the account phase of other modules.
114 magic_root
116 If the module is invoked by a user with uid=0 the counter is
117 not changed. The sysadmin should use this for user launched
118 services, like su, otherwise this argument should be omitted.
119
121 The auth and account module types are provided.
122
124 PAM_AUTH_ERR
125 A invalid option was given, the module was not able to retrieve the
126 user name, no valid counter file was found, or too many failed
127 logins.
128 PAM_SUCCESS
130 Everything was successful.
131 PAM_USER_UNKNOWN
133 User not known.
134
136 pam_tally2 is not compatible with the old pam_tally faillog file
137 format. This is caused by requirement of compatibility of the tallylog
138 file format between 32bit and 64bit architectures on multiarch systems.
139 There is no setuid wrapper for access to the data file such as when the
141 pam_tally2.so module is called from xscreensaver. As this would make it
142 impossible to share PAM configuration with such services the following
143 workaround is used: If the data file cannot be opened because of
144 insufficient permissions (EACCES) the module returns PAM_IGNORE.
145
147 Add the following line to /etc/pam.d/login to lock the account after 4
148 failed logins. Root account will be locked as well. The accounts will
149 be automatically unlocked after 20 minutes. The module does not have to
150 be called in the account phase because the login calls pam_setcred(3)
151 correctly.
152 auth required pam_securetty.so
154 auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200
155 auth required pam_env.so
156 auth required pam_unix.so
157 auth required pam_nologin.so
158 account required pam_unix.so
159 password required pam_unix.so
160 session required pam_limits.so
161 session required pam_unix.so
162 session required pam_lastlog.so nowtmp
163 session optional pam_mail.so standard
164
167 /var/log/tallylog
168 failure count logging file
169
171 pam.conf(5), pam.d(5), pam(8)
172
174 pam_tally2 was written by Tim Baverstock and Tomas Mraz.
175Linux-PAM Manual 03/22/2017 PAM_TALLY2(8)