Hi All,
I posted this to the RH PAM list in January, since then I have not seen a SINGLE message to that list so I must assume it's dead. I am going to re-ask here in the hopes that we have some pam guru's around.
I was able to get pam_tally.so working but there are a couple of loose ends I need help tying up
1) pam.d/xscreensaver - this only calls the AUTH section of system-auth not the account section so my pam_tally counts, but because there is no account section to take care of the reset on a good login xscreensaver will never lock the account, but what it will do is create a situation where you lock your ability to login through SSH/Shell etc as each time you use xscreensaver it up's your tally but never resets it...
My work around was to just copy the auth section of system auth to the pam.d/xscreensaver, remove the tally stuff and bypass pam_tally all together for the screensaver.. I tried seeing if I could get xscreensaver to use an account required line but it didn't seem to want to take that.
Is there a better work around then what I have done? is there a proper way to get these two to play well together
2) is there a way to get pam_tally/faillog to unlock an account after XX mins... I have hacked together a bash script to do this but I would prefer to use native capabilities if they exist
3) This is my big problem... I have set tally to deny after X attempts.. and it works... kinda... it seems like faillog or something is ignoring the deny= line in my pam account section.. when I first do a faillog after turning on the tally I get the normal output however it doesn't seem to catch the deny and populate that to the Maximum... so if my deny is set to 4 when I first do a faillog the Maximum is set to 0, I manually do a faillog -m 4 and that fixes the problem for all the current users on the box however when users are added to the box their maximum is zero.
Why isn't faillog reading the deny=X from my account requires line and setting the maximum based on that?
for new users is there a login.defs value required to set the maximum on account creation??
For Reference here are the relevant tally lines of my system-auth file. I am running RHEL 3, and FC1
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so no_magic_root onerr=fail
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
auth required /lib/security/$ISA/pam_warn.so
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so no_magic_root deny=6 reset
