summaryrefslogtreecommitdiffstats
path: root/modules/pam_tally2/README
blob: a3fd30e74a41039a8a7c0867cc722bbb7ba55e3e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
pam_tally2 — The login counter (tallying) module

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

DESCRIPTION

This module maintains a count of attempted accesses, can reset count on
success, can deny access if too many attempts fail.

pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the
PAM module and the latter, a stand-alone program. pam_tally2 is an (optional)
application which can be used to interrogate and manipulate the counter file.
It can display user counts, set individual counts, or clear all counts. Setting
artificially high counts may be useful for blocking users without changing
their passwords. For example, one might find it useful to clear all counts
every midnight from a cron job.

Normally, failed attempts to access root will not cause the root account to
become blocked, to prevent denial-of-service: if your users aren't given shell
accounts and root may only login via su or at the machine console (not telnet/
rsh, etc), this is safe.

OPTIONS

GLOBAL OPTIONS

    This can be used for auth and account module types.

    onerr=[fail|succeed]

        If something weird happens (like unable to open the file), return with 
        PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM
        error code.

    file=/path/to/counter

        File where to keep counts. Default is /var/log/tallylog.

    audit

        Will log the user name into the system log if the user is not found.

    silent

        Don't print informative messages. The messages printed without the 
        silent option leak presence of accounts on the system because they are
        not printed for non-existing accounts.

    no_log_info

        Don't log informative messages via syslog(3).

    debug

        Always log tally count when it is incremented as a debug level message
        to the system log.

AUTH OPTIONS

    Authentication phase first increments attempted login counter and checks if
    user should be denied access. If the user is authenticated and the login
    process continues on call to pam_setcred(3) it resets the attempts counter.

    deny=n

        Deny access if tally for this user exceeds n.

    lock_time=n

        Always deny for n seconds after failed attempt.

    unlock_time=n

        Allow access after n seconds after failed attempt. If this option is
        used the user will be locked out for the specified amount of time after
        he exceeded his maximum allowed attempts. Otherwise the account is
        locked until the lock is removed by a manual intervention of the system
        administrator.

    magic_root

        If the module is invoked by a user with uid=0 the counter is not
        incremented. The sysadmin should use this for user launched services,
        like su, otherwise this argument should be omitted.

    even_deny_root

        Root account can become unavailable.

    root_unlock_time=n

        This option implies even_deny_root option. Allow access after n seconds
        to root account after failed attempt. If this option is used the root
        user will be locked out for the specified amount of time after he
        exceeded his maximum allowed attempts.

    serialize

        Serialize access to the tally file using locks. This option might be
        used only for non-multithreaded services because it depends on the
        fcntl locking of the tally file. Also it is a good idea to use this
        option only in such configurations where the time between auth phase
        and account or setcred phase is not dependent on the authenticating
        client. Otherwise the authenticating client will be able to prevent
        simultaneous authentications by the same user by simply artificially
        prolonging the time the file record lock is held.

ACCOUNT OPTIONS

    Account phase resets attempts counter if the user is not magic root. This
    phase can be used optionally for services which don't call pam_setcred(3)
    correctly or if the reset should be done regardless of the failure of the
    account phase of other modules.

    magic_root

        If the module is invoked by a user with uid=0 the counter is not
        changed. The sysadmin should use this for user launched services, like 
        su, otherwise this argument should be omitted.

NOTES

pam_tally2 is not compatible with the old pam_tally faillog file format. This
is caused by requirement of compatibility of the tallylog file format between
32bit and 64bit architectures on multiarch systems.

There is no setuid wrapper for access to the data file such as when the 
pam_tally2.so module is called from xscreensaver. As this would make it
impossible to share PAM configuration with such services the following
workaround is used: If the data file cannot be opened because of insufficient
permissions (EACCES) the module returns PAM_IGNORE.

EXAMPLES

Add the following line to /etc/pam.d/login to lock the account after 4 failed
logins. Root account will be locked as well. The accounts will be automatically
unlocked after 20 minutes. The module does not have to be called in the account
phase because the login calls pam_setcred(3) correctly.

auth     required       pam_securetty.so
auth     required       pam_tally2.so deny=4 even_deny_root unlock_time=1200
auth     required       pam_env.so
auth     required       pam_unix.so
auth     required       pam_nologin.so
account  required       pam_unix.so
password required       pam_unix.so
session  required       pam_limits.so
session  required       pam_unix.so
session  required       pam_lastlog.so nowtmp
session  optional       pam_mail.so standard


AUTHOR

pam_tally2 was written by Tim Baverstock and Tomas Mraz.