Re: pam tally and faillog questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Apr 16, 2004 at 03:01:23PM -0400, Chris Stankaitis wrote:
> I posted this to the RH PAM list in January, since then I have not seen 
> a SINGLE message to that list so I must assume it's dead. I am going to 
> re-ask here in the hopes that we have some pam guru's around.

You should verify that you're actually subscribed, then.  While it's not
nearly as high-traffic as fedora-list, it is active.  The archives show
12 messages this month, the most recent about an hour ago.

> Is there a better work around then what I have done? is there a proper 
> way to get these two to play well together

The screen saver should probably be calling pam_acct_mgmt(), even if it
"knows" that the user should always be allowed access.

> 2) is there a way to get pam_tally/faillog to unlock an account after XX 
> mins... I have hacked together a bash script to do this but I would 
> prefer to use native capabilities if they exist

The faillog file format supports it, and pam_tally obeys it, but the
tools don't provide a way to set that timeout.  That would make a good
enhancement request.

> 3) This is my big problem... I have set tally to deny after X attempts.. 
> and it works... kinda... it seems like faillog or something is ignoring 
> the deny= line in my pam account section.. when I first do a faillog 
> after turning on the tally I get the normal output however it doesn't 
> seem to catch the deny and populate that to the Maximum... so if my deny 
> is set to 4 when I first do a faillog the Maximum is set to 0,  I 
> manually do a faillog -m 4 and that fixes the problem for all the 
> current users on the box however when users are added to the box their 
> maximum is zero.
> 
> Why isn't faillog reading the deny=X from my account requires line and 
> setting the maximum based on that?

Having a configuration for account management unfortunately doesn't
ensure that an application will make use of it.

> for new users is there a login.defs value required to set the maximum on 
> account creation??

There is not, at least not currently.

Cheers,

Nalin



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux