[sudo-users] pam_tally2 reset failed login counter issue
Todd C. Miller
Todd.Miller at courtesan.com
Thu Jun 23 14:26:32 MDT 2016
On Tue, 21 Jun 2016 14:18:02 +0530, Raghavendra Karthik D wrote:
> We are using the pam_tally2 module to perform account lockout, and it does
> not support resetting the failed login count after a certain time period
> has elapsed.
> Why doesn't unlock_time automatically reset the failed login counter to 0 ?
> Is the workaround manually calling --reset ?
To use pam_tally2 with sudo you will need to invoke pam_tally2 last
in the account phase after as well as in the auth phase.
For example, for Centos 7:
#%PAM-1.0
auth required pam_tally2.so deny=4 unlock_time=60
auth include system-auth
account include system-auth
account required pam_tally2.so
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
This is becase sudo runs pam_setcred() for the target user, not the
invoking user.
- todd
More information about the sudo-users
mailing list