summaryrefslogtreecommitdiff
path: root/modules/pam_tally/README
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_tally/README')
-rw-r--r--modules/pam_tally/README132
1 files changed, 0 insertions, 132 deletions
diff --git a/modules/pam_tally/README b/modules/pam_tally/README
deleted file mode 100644
index d3bf5354..00000000
--- a/modules/pam_tally/README
+++ /dev/null
@@ -1,132 +0,0 @@
-pam_tally — The login counter (tallying) module
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-DESCRIPTION
-
-This module maintains a count of attempted accesses, can reset count on
-success, can deny access if too many attempts fail.
-
-pam_tally comes in two parts: pam_tally.so and pam_tally. The former is the PAM
-module and the latter, a stand-alone program. pam_tally is an (optional)
-application which can be used to interrogate and manipulate the counter file.
-It can display users' counts, set individual counts, or clear all counts.
-Setting artificially high counts may be useful for blocking users without
-changing their passwords. For example, one might find it useful to clear all
-counts every midnight from a cron job. The faillog(8) command can be used
-instead of pam_tally to to maintain the counter file.
-
-Normally, failed attempts to access root will not cause the root account to
-become blocked, to prevent denial-of-service: if your users aren't given shell
-accounts and root may only login via su or at the machine console (not telnet/
-rsh, etc), this is safe.
-
-OPTIONS
-
-GLOBAL OPTIONS
-
- This can be used for auth and account services.
-
- onerr=[fail|succeed]
-
- If something weird happens (like unable to open the file), return with
- PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM
- error code.
-
- file=/path/to/counter
-
- File where to keep counts. Default is /var/log/faillog.
-
- audit
-
- Will log the user name into the system log if the user is not found.
-
-AUTH OPTIONS
-
- Authentication phase first checks if user should be denied access and if
- not it increments attempted login counter. Then on call to pam_setcred(3)
- it resets the attempts counter.
-
- deny=n
-
- Deny access if tally for this user exceeds n.
-
- lock_time=n
-
- Always deny for n seconds after failed attempt.
-
- unlock_time=n
-
- Allow access after n seconds after failed attempt. If this option is
- used the user will be locked out for the specified amount of time after
- he exceeded his maximum allowed attempts. Otherwise the account is
- locked until the lock is removed by a manual intervention of the system
- administrator.
-
- magic_root
-
- If the module is invoked by a user with uid=0 the counter is not
- incremented. The sys-admin should use this for user launched services,
- like su, otherwise this argument should be omitted.
-
- no_lock_time
-
- Do not use the .fail_locktime field in /var/log/faillog for this user.
-
- no_reset
-
- Don't reset count on successful entry, only decrement.
-
- even_deny_root_account
-
- Root account can become unavailable.
-
- per_user
-
- If /var/log/faillog contains a non-zero .fail_max/.fail_locktime field
- for this user then use it instead of deny=n/ lock_time=n parameter.
-
- no_lock_time
-
- Don't use .fail_locktime filed in /var/log/faillog for this user.
-
-ACCOUNT OPTIONS
-
- Account phase resets attempts counter if the user is not magic root. This
- phase can be used optionaly for services which don't call pam_setcred(3)
- correctly or if the reset should be done regardless of the failure of the
- account phase of other modules.
-
- magic_root
-
- If the module is invoked by a user with uid=0 the counter is not
- incremented. The sys-admin should use this for user launched services,
- like su, otherwise this argument should be omitted.
-
- no_reset
-
- Don't reset count on successful entry, only decrement.
-
-EXAMPLES
-
-Add the following line to /etc/pam.d/login to lock the account after too many
-failed logins. The number of allowed fails is specified by /var/log/faillog and
-needs to be set with pam_tally or faillog(8) before.
-
-auth required pam_securetty.so
-auth required pam_tally.so per_user
-auth required pam_env.so
-auth required pam_unix.so
-auth required pam_nologin.so
-account required pam_unix.so
-password required pam_unix.so
-session required pam_limits.so
-session required pam_unix.so
-session required pam_lastlog.so nowtmp
-session optional pam_mail.so standard
-
-
-AUTHOR
-
-pam_tally was written by Tim Baverstock and Tomas Mraz.
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 11:02:20 +0000