diff options
Diffstat (limited to 'modules/pam_tally/README')
-rw-r--r-- | modules/pam_tally/README | 132 |
1 files changed, 0 insertions, 132 deletions
diff --git a/modules/pam_tally/README b/modules/pam_tally/README deleted file mode 100644 index d3bf5354..00000000 --- a/modules/pam_tally/README +++ /dev/null @@ -1,132 +0,0 @@ -pam_tally — The login counter (tallying) module - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -This module maintains a count of attempted accesses, can reset count on -success, can deny access if too many attempts fail. - -pam_tally comes in two parts: pam_tally.so and pam_tally. The former is the PAM -module and the latter, a stand-alone program. pam_tally is an (optional) -application which can be used to interrogate and manipulate the counter file. -It can display users' counts, set individual counts, or clear all counts. -Setting artificially high counts may be useful for blocking users without -changing their passwords. For example, one might find it useful to clear all -counts every midnight from a cron job. The faillog(8) command can be used -instead of pam_tally to to maintain the counter file. - -Normally, failed attempts to access root will not cause the root account to -become blocked, to prevent denial-of-service: if your users aren't given shell -accounts and root may only login via su or at the machine console (not telnet/ -rsh, etc), this is safe. - -OPTIONS - -GLOBAL OPTIONS - - This can be used for auth and account services. - - onerr=[fail|succeed] - - If something weird happens (like unable to open the file), return with - PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM - error code. - - file=/path/to/counter - - File where to keep counts. Default is /var/log/faillog. - - audit - - Will log the user name into the system log if the user is not found. - -AUTH OPTIONS - - Authentication phase first checks if user should be denied access and if - not it increments attempted login counter. Then on call to pam_setcred(3) - it resets the attempts counter. - - deny=n - - Deny access if tally for this user exceeds n. - - lock_time=n - - Always deny for n seconds after failed attempt. - - unlock_time=n - - Allow access after n seconds after failed attempt. If this option is - used the user will be locked out for the specified amount of time after - he exceeded his maximum allowed attempts. Otherwise the account is - locked until the lock is removed by a manual intervention of the system - administrator. - - magic_root - - If the module is invoked by a user with uid=0 the counter is not - incremented. The sys-admin should use this for user launched services, - like su, otherwise this argument should be omitted. - - no_lock_time - - Do not use the .fail_locktime field in /var/log/faillog for this user. - - no_reset - - Don't reset count on successful entry, only decrement. - - even_deny_root_account - - Root account can become unavailable. - - per_user - - If /var/log/faillog contains a non-zero .fail_max/.fail_locktime field - for this user then use it instead of deny=n/ lock_time=n parameter. - - no_lock_time - - Don't use .fail_locktime filed in /var/log/faillog for this user. - -ACCOUNT OPTIONS - - Account phase resets attempts counter if the user is not magic root. This - phase can be used optionaly for services which don't call pam_setcred(3) - correctly or if the reset should be done regardless of the failure of the - account phase of other modules. - - magic_root - - If the module is invoked by a user with uid=0 the counter is not - incremented. The sys-admin should use this for user launched services, - like su, otherwise this argument should be omitted. - - no_reset - - Don't reset count on successful entry, only decrement. - -EXAMPLES - -Add the following line to /etc/pam.d/login to lock the account after too many -failed logins. The number of allowed fails is specified by /var/log/faillog and -needs to be set with pam_tally or faillog(8) before. - -auth required pam_securetty.so -auth required pam_tally.so per_user -auth required pam_env.so -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_limits.so -session required pam_unix.so -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard - - -AUTHOR - -pam_tally was written by Tim Baverstock and Tomas Mraz. - |