1PAM_TALLY(8) Linux-PAM Manual PAM_TALLY(8)
2
6 pam_tally - The login counter (tallying) module
7
9 pam_tally.so [file=/path/to/counter] [onerr=[fail|succeed]]
10 [magic_root] [even_deny_root_account] [deny=n]
11 [lock_time=n] [unlock_time=n] [per_user] [no_lock_time]
12 [no_reset] [audit]
13 pam_tally [--file /path/to/counter] [--user username] [--reset[=n]]
15 [--quiet]
16
18 This module maintains a count of attempted accesses, can reset count on
19 success, can deny access if too many attempts fail.
20 pam_tally comes in two parts: pam_tally.so and pam_tally. The former is
22 the PAM module and the latter, a stand-alone program. pam_tally is an
23 (optional) application which can be used to interrogate and manipulate
24 the counter file. It can display users' counts, set individual counts,
25 or clear all counts. Setting artificially high counts may be useful for
26 blocking users without changing their passwords. For example, one might
27 find it useful to clear all counts every midnight from a cron job. The
28 faillog(8) command can be used instead of pam_tally to to maintain the
29 counter file.
30 Normally, failed attempts to access root will not cause the root
32 account to become blocked, to prevent denial-of-service: if your users
33 aren't given shell accounts and root may only login via su or at the
34 machine console (not telnet/rsh, etc), this is safe.
35
37 GLOBAL OPTIONS
38 This can be used for auth and account services.
39 onerr=[fail|succeed]
41 If something weird happens (like unable to open the file), return
42 with PAM_SUCESS if onerr=succeed is given, else with the
43 corresponding PAM error code.
44 file=/path/to/counter
46 File where to keep counts. Default is /var/log/faillog.
47 audit
49 Will display the username typed if the user is not found.
50 AUTH OPTIONS
52 Authentication phase first checks if user should be denied access
53 and if not it increments attempted login counter. Then on call to
54 pam_setcred(3) it resets the attempts counter.
55 deny=n
57 Deny access if tally for this user exceeds n.
58 lock_time=n
60 Always deny for n seconds after failed attempt.
61 unlock_time=n
63 Allow access after n seconds after failed attempt. If this option
64 is used the user will be locked out for the specified amount of
65 time after he exceeded his maximum allowed attempts. Otherwise
66 the account is locked until the lock is removed by a manual
67 intervention of the system administrator.
68 magic_root
70 If the module is invoked by a user with uid=0 the counter is not
71 incremented. The sys-admin should use this for user launched
72 services, like su, otherwise this argument should be omitted.
73 no_lock_time
75 Do not use the .fail_locktime field in /var/log/faillog for this
76 user.
77 no_reset
79 Don't reset count on successful entry, only decrement.
80 even_deny_root_account
82 Root account can become unavailable.
83 even_deny_root_account
85 Root account can become unavailable.
86 per_user
88 If /var/log/faillog contains a non-zero .fail_max/.fail_locktime
89 field for this user then use it instead of deny=n/ lock_time=n
90 parameter.
91 no_lock_time
93 Don't use .fail_locktime filed in /var/log/faillog for this user.
94 ACCOUNT OPTIONS
96 Account phase resets attempts counter if the user is not magic root.
97 This phase can be used optionaly for services which don't call
98 pam_setcred(3) correctly or if the reset should be done regardless
99 of the failure of the account phase of other modules.
100 magic_root
102 If the module is invoked by a user with uid=0 the counter is not
103 incremented. The sys-admin should use this for user launched
104 services, like su, otherwise this argument should be omitted.
105 no_reset
107 Don't reset count on successful entry, only decrement.
108
110 The auth and account services are supported.
111
113 PAM_AUTH_ERR
114 A invalid option was given, the module was not able to retrive the
115 user name, no valid counter file was found, or too many failed
116 logins.
117 PAM_SUCCESS
119 Everything was successfull.
120 PAM_USER_UNKNOWN
122 User not known.
123
125 Add the following line to /etc/pam.d/login to lock the account after
126 too many failed logins. The number of allowed fails is specified by
127 /var/log/faillog and needs to be set with pam_tally or faillog(8)
128 before.
129 auth required pam_securetty.so
131 auth required pam_tally.so per_user
132 auth required pam_env.so
133 auth required pam_unix.so
134 auth required pam_nologin.so
135 account required pam_unix.so
136 password required pam_unix.so
137 session required pam_limits.so
138 session required pam_unix.so
139 session required pam_lastlog.so nowtmp
140 session optional pam_mail.so standard
141
144 /var/log/faillog
145 failure logging file
146
148 faillog(8), pam.conf(5), pam.d(8), pam(8)
149
151 pam_tally was written by Tim Baverstock and Tomas Mraz.
152Linux-PAM Manual 06/18/2006 PAM_TALLY(8)