'\" t .\" Title: pam_tally2 .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 .\" Date: 05/18/2017 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" .TH "PAM_TALLY2" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" pam_tally2 \- The login counter (tallying) module .SH "SYNOPSIS" .HP \w'\fBpam_tally2\&.so\fR\ 'u \fBpam_tally2\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [root_unlock_time=\fIn\fR] [serialize] [audit] [silent] [no_log_info] [debug] .HP \w'\fBpam_tally2\fR\ 'u \fBpam_tally2\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] .SH "DESCRIPTION" .PP This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. .PP pam_tally2 comes in two parts: \fBpam_tally2\&.so\fR and \fBpam_tally2\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. \fBpam_tally2\fR is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display user counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. .PP Normally, failed attempts to access \fIroot\fR will \fBnot\fR cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\*(Aqt given shell accounts and root may only login via \fBsu\fR or at the machine console (not telnet/rsh, etc), this is safe\&. .SH "OPTIONS" .PP GLOBAL OPTIONS .RS 4 This can be used for \fIauth\fR and \fIaccount\fR module types\&. .PP \fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR .RS 4 If something weird happens (like unable to open the file), return with \fBPAM_SUCCESS\fR if \fBonerr=\fR\fB\fIsucceed\fR\fR is given, else with the corresponding PAM error code\&. .RE .PP \fBfile=\fR\fB\fI/path/to/counter\fR\fR .RS 4 File where to keep counts\&. Default is /var/log/tallylog\&. .RE .PP \fBaudit\fR .RS 4 Will log the user name into the system log if the user is not found\&. .RE .PP \fBsilent\fR .RS 4 Don\*(Aqt print informative messages\&. .RE .PP \fBno_log_info\fR .RS 4 Don\*(Aqt log informative messages via \fBsyslog\fR(3)\&. .RE .PP \fBdebug\fR .RS 4 Always log tally count when it is incremented as a debug level message to the system log\&. .RE .RE .PP AUTH OPTIONS .RS 4 Authentication phase first increments attempted login counter and checks if user should be denied access\&. If the user is authenticated and the login process continues on call to \fBpam_setcred\fR(3) it resets the attempts counter\&. .PP \fBdeny=\fR\fB\fIn\fR\fR .RS 4 Deny access if tally for this user exceeds \fIn\fR\&. .RE .PP \fBlock_time=\fR\fB\fIn\fR\fR .RS 4 Always deny for \fIn\fR seconds after failed attempt\&. .RE .PP \fBunlock_time=\fR\fB\fIn\fR\fR .RS 4 Allow access after \fIn\fR seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. .RE .PP \fBmagic_root\fR .RS 4 If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like \fBsu\fR, otherwise this argument should be omitted\&. .RE .PP \fBeven_deny_root\fR .RS 4 Root account can become unavailable\&. .RE .PP \fBroot_unlock_time=\fR\fB\fIn\fR\fR .RS 4 This option implies \fBeven_deny_root\fR option\&. Allow access after \fIn\fR seconds to root account after failed attempt\&. If this option is used the root user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. .RE .PP \fBserialize\fR .RS 4 Serialize access to the tally file using locks\&. This option might be used only for non\-multithreaded services because it depends on the fcntl locking of the tally file\&. Also it is a good idea to use this option only in such configurations where the time between auth phase and account or setcred phase is not dependent on the authenticating client\&. Otherwise the authenticating client will be able to prevent simultaneous authentications by the same user by simply artificially prolonging the time the file record lock is held\&. .RE .RE .PP ACCOUNT OPTIONS .RS 4 Account phase resets attempts counter if the user is \fBnot\fR magic root\&. This phase can be used optionally for services which don\*(Aqt call \fBpam_setcred\fR(3) correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. .PP \fBmagic_root\fR .RS 4 If the module is invoked by a user with uid=0 the counter is not changed\&. The sysadmin should use this for user launched services, like \fBsu\fR, otherwise this argument should be omitted\&. .RE .RE .SH "MODULE TYPES PROVIDED" .PP The \fBauth\fR and \fBaccount\fR module types are provided\&. .SH "RETURN VALUES" .PP PAM_AUTH_ERR .RS 4 A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&. .RE .PP PAM_SUCCESS .RS 4 Everything was successful\&. .RE .PP PAM_USER_UNKNOWN .RS 4 User not known\&. .RE .SH "NOTES" .PP pam_tally2 is not compatible with the old pam_tally faillog file format\&. This is caused by requirement of compatibility of the tallylog file format between 32bit and 64bit architectures on multiarch systems\&. .PP There is no setuid wrapper for access to the data file such as when the \fBpam_tally2\&.so\fR module is called from xscreensaver\&. As this would make it impossible to share PAM configuration with such services the following workaround is used: If the data file cannot be opened because of insufficient permissions (\fBEACCES\fR) the module returns \fBPAM_IGNORE\fR\&. .SH "EXAMPLES" .PP Add the following line to /etc/pam\&.d/login to lock the account after 4 failed logins\&. Root account will be locked as well\&. The accounts will be automatically unlocked after 20 minutes\&. The module does not have to be called in the account phase because the \fBlogin\fR calls \fBpam_setcred\fR(3) correctly\&. .sp .if n \{\ .RS 4 .\} .nf auth required pam_securetty\&.so auth required pam_tally2\&.so deny=4 even_deny_root unlock_time=1200 auth required pam_env\&.so auth required pam_unix\&.so auth required pam_nologin\&.so account required pam_unix\&.so password required pam_unix\&.so session required pam_limits\&.so session required pam_unix\&.so session required pam_lastlog\&.so nowtmp session optional pam_mail\&.so standard .fi .if n \{\ .RE .\} .SH "FILES" .PP /var/log/tallylog .RS 4 failure count logging file .RE .SH "SEE ALSO" .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), \fBpam\fR(7) .SH "AUTHOR" .PP pam_tally2 was written by Tim Baverstock and Tomas Mraz\&.