summaryrefslogtreecommitdiff
path: root/modules/pam_tally/pam_tally.8
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_tally/pam_tally.8')
-rw-r--r--modules/pam_tally/pam_tally.8256
1 files changed, 0 insertions, 256 deletions
diff --git a/modules/pam_tally/pam_tally.8 b/modules/pam_tally/pam_tally.8
deleted file mode 100644
index f4d33502..00000000
--- a/modules/pam_tally/pam_tally.8
+++ /dev/null
@@ -1,256 +0,0 @@
-'\" t
-.\" Title: pam_tally
-.\" Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 06/08/2020
-.\" Manual: Linux-PAM Manual
-.\" Source: Linux-PAM Manual
-.\" Language: English
-.\"
-.TH "PAM_TALLY" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-pam_tally \- The login counter (tallying) module
-.SH "SYNOPSIS"
-.HP \w'\fBpam_tally\&.so\fR\ 'u
-\fBpam_tally\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] [silent] [no_log_info]
-.HP \w'\fBpam_tally\fR\ 'u
-\fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet]
-.SH "DESCRIPTION"
-.PP
-This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&.
-.PP
-pam_tally has several limitations, which are solved with pam_tally2\&. For this reason pam_tally is deprecated and will be removed in a future release\&.
-.PP
-pam_tally comes in two parts:
-\fBpam_tally\&.so\fR
-and
-\fBpam_tally\fR\&. The former is the PAM module and the latter, a stand\-alone program\&.
-\fBpam_tally\fR
-is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display user counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. The
-\fBfaillog\fR(8)
-command can be used instead of pam_tally to to maintain the counter file\&.
-.PP
-Normally, failed attempts to access
-\fIroot\fR
-will
-\fBnot\fR
-cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\*(Aqt given shell accounts and root may only login via
-\fBsu\fR
-or at the machine console (not telnet/rsh, etc), this is safe\&.
-.SH "OPTIONS"
-.PP
-GLOBAL OPTIONS
-.RS 4
-This can be used for
-\fIauth\fR
-and
-\fIaccount\fR
-module types\&.
-.PP
-\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR
-.RS 4
-If something weird happens (like unable to open the file), return with
-\fBPAM_SUCCESS\fR
-if
-\fBonerr=\fR\fB\fIsucceed\fR\fR
-is given, else with the corresponding PAM error code\&.
-.RE
-.PP
-\fBfile=\fR\fB\fI/path/to/counter\fR\fR
-.RS 4
-File where to keep counts\&. Default is
-/var/log/faillog\&.
-.RE
-.PP
-\fBaudit\fR
-.RS 4
-Will log the user name into the system log if the user is not found\&.
-.RE
-.PP
-\fBsilent\fR
-.RS 4
-Don\*(Aqt print informative messages\&. The messages printed without the
-\fIsilent\fR
-option leak presence of accounts on the system because they are not printed for non\-existing accounts\&.
-.RE
-.PP
-\fBno_log_info\fR
-.RS 4
-Don\*(Aqt log informative messages via
-\fBsyslog\fR(3)\&.
-.RE
-.RE
-.PP
-AUTH OPTIONS
-.RS 4
-Authentication phase first checks if user should be denied access and if not it increments attempted login counter\&. Then on call to
-\fBpam_setcred\fR(3)
-it resets the attempts counter\&.
-.PP
-\fBdeny=\fR\fB\fIn\fR\fR
-.RS 4
-Deny access if tally for this user exceeds
-\fIn\fR\&.
-.RE
-.PP
-\fBlock_time=\fR\fB\fIn\fR\fR
-.RS 4
-Always deny for
-\fIn\fR
-seconds after failed attempt\&.
-.RE
-.PP
-\fBunlock_time=\fR\fB\fIn\fR\fR
-.RS 4
-Allow access after
-\fIn\fR
-seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&.
-.RE
-.PP
-\fBmagic_root\fR
-.RS 4
-If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like
-\fBsu\fR, otherwise this argument should be omitted\&.
-.RE
-.PP
-\fBno_lock_time\fR
-.RS 4
-Do not use the \&.fail_locktime field in
-/var/log/faillog
-for this user\&.
-.RE
-.PP
-\fBno_reset\fR
-.RS 4
-Don\*(Aqt reset count on successful entry, only decrement\&.
-.RE
-.PP
-\fBeven_deny_root_account\fR
-.RS 4
-Root account can become unavailable\&.
-.RE
-.PP
-\fBper_user\fR
-.RS 4
-If
-/var/log/faillog
-contains a non\-zero \&.fail_max/\&.fail_locktime field for this user then use it instead of
-\fBdeny=\fR\fB\fIn\fR\fR/
-\fBlock_time=\fR\fB\fIn\fR\fR
-parameter\&.
-.RE
-.PP
-\fBno_lock_time\fR
-.RS 4
-Don\*(Aqt use \&.fail_locktime filed in
-/var/log/faillog
-for this user\&.
-.RE
-.RE
-.PP
-ACCOUNT OPTIONS
-.RS 4
-Account phase resets attempts counter if the user is
-\fBnot\fR
-magic root\&. This phase can be used optionally for services which don\*(Aqt call
-\fBpam_setcred\fR(3)
-correctly or if the reset should be done regardless of the failure of the account phase of other modules\&.
-.PP
-\fBmagic_root\fR
-.RS 4
-If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like
-\fBsu\fR, otherwise this argument should be omitted\&.
-.RE
-.PP
-\fBno_reset\fR
-.RS 4
-Don\*(Aqt reset count on successful entry, only decrement\&.
-.RE
-.RE
-.SH "MODULE TYPES PROVIDED"
-.PP
-The
-\fBauth\fR
-and
-\fBaccount\fR
-module types are provided\&.
-.SH "RETURN VALUES"
-.PP
-PAM_AUTH_ERR
-.RS 4
-A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&.
-.RE
-.PP
-PAM_SUCCESS
-.RS 4
-Everything was successful\&.
-.RE
-.PP
-PAM_USER_UNKNOWN
-.RS 4
-User not known\&.
-.RE
-.SH "EXAMPLES"
-.PP
-Add the following line to
-/etc/pam\&.d/login
-to lock the account after too many failed logins\&. The number of allowed fails is specified by
-/var/log/faillog
-and needs to be set with pam_tally or
-\fBfaillog\fR(8)
-before\&.
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-auth required pam_securetty\&.so
-auth required pam_tally\&.so per_user
-auth required pam_env\&.so
-auth required pam_unix\&.so
-auth required pam_nologin\&.so
-account required pam_unix\&.so
-password required pam_unix\&.so
-session required pam_limits\&.so
-session required pam_unix\&.so
-session required pam_lastlog\&.so nowtmp
-session optional pam_mail\&.so standard
-
-.fi
-.if n \{\
-.RE
-.\}
-.SH "FILES"
-.PP
-/var/log/faillog
-.RS 4
-failure logging file
-.RE
-.SH "SEE ALSO"
-.PP
-\fBfaillog\fR(8),
-\fBpam.conf\fR(5),
-\fBpam.d\fR(5),
-\fBpam\fR(8)
-.SH "AUTHOR"
-.PP
-pam_tally was written by Tim Baverstock and Tomas Mraz\&.
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 17:26:04 +0000