[sudo-users] pam_tally2 reset failed login counter issue

Todd C. Miller Todd.Miller at courtesan.com
Thu Jun 23 14:26:32 MDT 2016

On Tue, 21 Jun 2016 14:18:02 +0530, Raghavendra Karthik D wrote:

> We are using the pam_tally2 module to perform account lockout, and it does
> not support resetting the failed login count after a certain time period
> has elapsed.
> Why doesn't unlock_time automatically reset the failed login counter to 0 ?
> Is the workaround manually calling --reset ?

To use pam_tally2 with sudo you will need to invoke pam_tally2 last
in the account phase after as well as in the auth phase.
For example, for Centos 7:

auth       required     pam_tally2.so deny=4 unlock_time=60
auth       include      system-auth
account    include      system-auth
account    required     pam_tally2.so
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

This is becase sudo runs pam_setcred() for the target user, not the
invoking user.

 - todd

More information about the sudo-users mailing list