1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
SUMMARY:
pam_tally:
Maintains a count of attempted accesses, can reset count on success,
can deny access if too many attempts fail.
Options:
* onerr=[succeed|fail] (if something weird happens
such as unable to open the file, what to do?)
* file=/where/to/keep/counts (default /var/log/faillog)
(auth)
Authentication phase increments attempted login counter.
* no_magic_root (root DOES increment counter. Use for
daemon-based stuff, like telnet/rsh/login)
(account)
Account phase can deny access and/or reset attempts counter.
* deny=n (deny access if tally for this user exceeds n;
The presence of deny=n changes the default for
reset/no_reset to reset, unless the user trying to
gain access is root and the no_magic_root option
has NOT been specified.)
* no_magic_root (access attempts by root DON'T ignore deny.
Use this for daemon-based stuff, like telnet/rsh/login)
* even_deny_root_account (Root can become unavailable. BEWARE.
Note that magic root trying to gain root bypasses this,
but normal users can be locked out.)
* reset (reset count to 0 on successful entry, even for
magic root)
* no_reset (don't reset count on successful entry)
This is the default unless deny exists and the
user attempting access is NOT magic root.
* per_user (If /var/log/faillog contains a non-zero
.fail_max field for this user then use it
instead of deny=n parameter)
* no_lock_time (Don't use .fail_locktime filed in
/var/log/faillog for this user)
Also checks to make sure that the counts file is a plain
file and not world writable.
- Tim Baverstock <warwick@sable.demon.co.uk>, v0.1 5 March 1997
LONGER:
pam_tally comes in two parts: pam_tally.so and pam_tally.
pam_tally.so sits in a pam config file, in the auth and account sections.
In the auth section, it increments a per-uid counter for each attempted
login, in the account section, it denies access if attempted logins
exceed some threashold and/or resets that counter to zero on successful
login.
Root is treated specially:
1. When a process already running as root tries to access some service, the
access is `magic', and bypasses pam_tally's checks: handy for `su'ing from
root into an account otherwise blocked. However, for services like telnet or
login which always effectively run from the root account, root (ie everyone)
shouldn't be granted this magic status, and the flag `no_magic_root' should
be set in this situation, as noted in the summary above. [This option may
be obsolete, with `sufficient root' processing.]
2. Normally, failed attempts to access root will NOT cause the root
account to become blocked, to prevent denial-of-service: if your users aren't
given shell accounts and root may only login via `su' or at the machine
console (not telnet/rsh, etc), this is safe. If you really want root to be
blocked for some given service, use even_deny_root_account.
pam_tally is an (optional) application which can be used to interrogate and
manipulate the counter file. It can display users' counts, set individual
counts, or clear all counts. Setting artificially high counts may be useful
for blocking users without changing their passwords. I found it useful to
clear all counts every midnight from a cron..
The counts file is organised as a binary-word array, indexed by uid. You
can probably make sense of it with `od', if you don't want to use the
supplied appliction.
BUGS:
pam_tally is very dependant on getpw*(): a database of usernames
would be much more flexible.
The (4.0 Redhat) utilities seem to do funny things with uid, and I'm
not wholly sure I understood what I should have been doing anyway so
the `keep a count of current logins' bit has been #ifdef'd out and you
can only reset the counter on successful authentication, for now.
|
