.\" Title: pam_tally .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.74.0 .\" Date: 10/27/2010 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" .TH "PAM_TALLY" "8" "10/27/2010" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * (re)Define some macros .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" toupper - uppercase a string (locale-aware) .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de toupper .tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ \\$* .tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" SH-xref - format a cross-reference to an SH section .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de SH-xref .ie n \{\ .\} .toupper \\$* .el \{\ \\$* .\} .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" SH - level-one heading that works better for non-TTY output .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de1 SH .\" put an extra blank line of space above the head in non-TTY output .if t \{\ .sp 1 .\} .sp \\n[PD]u .nr an-level 1 .set-an-margin .nr an-prevailing-indent \\n[IN] .fi .in \\n[an-margin]u .ti 0 .HTML-TAG ".NH \\n[an-level]" .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 \." make the size of the head bigger .ps +3 .ft B .ne (2v + 1u) .ie n \{\ .\" if n (TTY output), use uppercase .toupper \\$* .\} .el \{\ .nr an-break-flag 0 .\" if not n (not TTY), use normal case (not uppercase) \\$1 .in \\n[an-margin]u .ti 0 .\" if not n (not TTY), put a border/line under subheading .sp -.6 \l'\n(.lu' .\} .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" SS - level-two heading that works better for non-TTY output .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de1 SS .sp \\n[PD]u .nr an-level 1 .set-an-margin .nr an-prevailing-indent \\n[IN] .fi .in \\n[IN]u .ti \\n[SN]u .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .ps \\n[PS-SS]u \." make the size of the head bigger .ps +2 .ft B .ne (2v + 1u) .if \\n[.$] \&\\$* .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" BB/BE - put background/screen (filled box) around block of text .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de BB .if t \{\ .sp -.5 .br .in +2n .ll -2n .gcolor red .di BX .\} .. .de EB .if t \{\ .if "\\$2"adjust-for-leading-newline" \{\ .sp -1 .\} .br .di .in .ll .gcolor .nr BW \\n(.lu-\\n(.i .nr BH \\n(dn+.5v .ne \\n(BHu+.5v .ie "\\$2"adjust-for-leading-newline" \{\ \M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] .\} .el \{\ \M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] .\} .in 0 .sp -.5v .nf .BX .in .sp .5v .fi .\} .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" BM/EM - put colored marker in margin next to block of text .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de BM .if t \{\ .br .ll -2n .gcolor red .di BX .\} .. .de EM .if t \{\ .br .di .ll .gcolor .nr BH \\n(dn .ne \\n(BHu \M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] .in 0 .nf .BX .in .fi .\} .. .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "Name" pam_tally \- The login counter (tallying) module .SH "Synopsis" .fam C .HP \w'\fBpam_tally\&.so\fR\ 'u \fBpam_tally\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] [silent] [no_log_info] .fam .fam C .HP \w'\fBpam_tally\fR\ 'u \fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] .fam .SH "DESCRIPTION" .PP This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. .PP pam_tally has several limitations, which are solved with pam_tally2\&. For this reason pam_tally is deprecated and will be removed in a future release\&. .PP pam_tally comes in two parts: \fBpam_tally\&.so\fR and \fBpam_tally\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. \fBpam_tally\fR is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display users\' counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. The \fBfaillog\fR(8) command can be used instead of pam_tally to to maintain the counter file\&. .PP Normally, failed attempts to access \fIroot\fR will \fBnot\fR cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via \fBsu\fR or at the machine console (not telnet/rsh, etc), this is safe\&. .SH "OPTIONS" .PP GLOBAL OPTIONS .RS 4 This can be used for \fIauth\fR and \fIaccount\fR module types\&. .PP \fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR .RS 4 If something weird happens (like unable to open the file), return with \fBPAM_SUCCESS\fR if \fBonerr=\fR\fB\fIsucceed\fR\fR is given, else with the corresponding PAM error code\&. .RE .PP \fBfile=\fR\fB\fI/path/to/counter\fR\fR .RS 4 File where to keep counts\&. Default is \FC/var/log/faillog\F[]\&. .RE .PP \fBaudit\fR .RS 4 Will log the user name into the system log if the user is not found\&. .RE .PP \fBsilent\fR .RS 4 Don\'t print informative messages\&. .RE .PP \fBno_log_info\fR .RS 4 Don\'t log informative messages via \fBsyslog\fR(3)\&. .RE .RE .PP AUTH OPTIONS .RS 4 Authentication phase first checks if user should be denied access and if not it increments attempted login counter\&. Then on call to \fBpam_setcred\fR(3) it resets the attempts counter\&. .PP \fBdeny=\fR\fB\fIn\fR\fR .RS 4 Deny access if tally for this user exceeds \fIn\fR\&. .RE .PP \fBlock_time=\fR\fB\fIn\fR\fR .RS 4 Always deny for \fIn\fR seconds after failed attempt\&. .RE .PP \fBunlock_time=\fR\fB\fIn\fR\fR .RS 4 Allow access after \fIn\fR seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. .RE .PP \fBmagic_root\fR .RS 4 If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like \fBsu\fR, otherwise this argument should be omitted\&. .RE .PP \fBno_lock_time\fR .RS 4 Do not use the \&.fail_locktime field in \FC/var/log/faillog\F[] for this user\&. .RE .PP \fBno_reset\fR .RS 4 Don\'t reset count on successful entry, only decrement\&. .RE .PP \fBeven_deny_root_account\fR .RS 4 Root account can become unavailable\&. .RE .PP \fBper_user\fR .RS 4 If \FC/var/log/faillog\F[] contains a non\-zero \&.fail_max/\&.fail_locktime field for this user then use it instead of \fBdeny=\fR\fB\fIn\fR\fR/ \fBlock_time=\fR\fB\fIn\fR\fR parameter\&. .RE .PP \fBno_lock_time\fR .RS 4 Don\'t use \&.fail_locktime filed in \FC/var/log/faillog\F[] for this user\&. .RE .RE .PP ACCOUNT OPTIONS .RS 4 Account phase resets attempts counter if the user is \fBnot\fR magic root\&. This phase can be used optionally for services which don\'t call \fBpam_setcred\fR(3) correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. .PP \fBmagic_root\fR .RS 4 If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like \fBsu\fR, otherwise this argument should be omitted\&. .RE .PP \fBno_reset\fR .RS 4 Don\'t reset count on successful entry, only decrement\&. .RE .RE .SH "MODULE TYPES PROVIDED" .PP The \fBauth\fR and \fBaccount\fR module types are provided\&. .SH "RETURN VALUES" .PP PAM_AUTH_ERR .RS 4 A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&. .RE .PP PAM_SUCCESS .RS 4 Everything was successful\&. .RE .PP PAM_USER_UNKNOWN .RS 4 User not known\&. .RE .SH "EXAMPLES" .PP Add the following line to \FC/etc/pam\&.d/login\F[] to lock the account after too many failed logins\&. The number of allowed fails is specified by \FC/var/log/faillog\F[] and needs to be set with pam_tally or \fBfaillog\fR(8) before\&. .sp .if n \{\ .RS 4 .\} .fam C .ps -1 .nf .if t \{\ .sp -1 .\} .BB lightgray adjust-for-leading-newline .sp -1 auth required pam_securetty\&.so auth required pam_tally\&.so per_user auth required pam_env\&.so auth required pam_unix\&.so auth required pam_nologin\&.so account required pam_unix\&.so password required pam_unix\&.so session required pam_limits\&.so session required pam_unix\&.so session required pam_lastlog\&.so nowtmp session optional pam_mail\&.so standard .EB lightgray adjust-for-leading-newline .if t \{\ .sp 1 .\} .fi .fam .ps +1 .if n \{\ .RE .\} .SH "FILES" .PP \FC/var/log/faillog\F[] .RS 4 failure logging file .RE .SH "SEE ALSO" .PP \fBfaillog\fR(8), \fBpam.conf\fR(5), \fBpam.d\fR(5), \fBpam\fR(8) .SH "AUTHOR" .PP pam_tally was written by Tim Baverstock and Tomas Mraz\&.