My notes show that I needed auth required pam_tally.so onerr=fail no_magic_root account required pam_tally.so deny=3 reset no_magic_root
But that was on sles8. Haven't tried it on later since we're using different authentication now. I would expect it would still work. I do remember it not supporting uid > 64k . Don't know if you need to do that. Marcy "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -----Original Message----- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Collinson.Shannon Sent: Friday, January 29, 2010 10:41 AM To: LINUX-390@vm.marist.edu Subject: [LINUX-390] weird problem with pam_tally in SLES10SP2 I'm new to supporting linux, being a mainframe z/OS sysprog, so this may just be a user error and I sincerely hope someone can say "Duh!" once I explain this... We're trying to build Linux-on-zSeries SLES10SP2 guests as close as possible to the same level of Linux guests on Intel servers. As part of this, I'm including the following line in our /etc/pam.d/common_auth file: auth required pam_tally.so onerr=fail deny=10 That's the only change we make to the pam modules. As I understand it, that should block a user's access once they reach 10 unsuccessful login attempts. Well, the problem is that every login attempt is marked unsuccessful even if the user had no trouble logging in, if they do so via ssh (actually with a putty client). That same user gets a successful login when they try logging in directly from the (VM) console. So what I've done is created a linux server that's only really good for 10 accesses-after that, the user can no longer get in till someone hops on at the console with root and resets their failed-login count! I added debug to pam_env.so and pam_unix2.so modules to get a little more info, but it all looks good to me. Here's the faillog display after I've reset the user: Login Failures Maximum Latest On lxinst 0 0 01/29/10 13:34:39 -0500 cnu83757xg. Then I try to log in and get the following messages in /var/log/messages: Jan 29 13:38:26 lxd1100 sshd[2335]: pam_unix2(sshd:auth): pam_sm_authenticate() called Jan 29 13:38:26 lxd1100 sshd[2335]: pam_unix2(sshd:auth): username=[lxinst] Jan 29 13:38:27 lxd1100 sshd[2335]: pam_unix2(sshd:auth): pam_sm_authenticate: PAM_SUCCESS Jan 29 13:38:27 lxd1100 sshd[2333]: Accepted keyboard-interactive/pam for lxinst from 10.48.100.90 port 2458 ssh2 Jan 29 13:38:27 lxd1100 sshd[2336]: pam_unix2(sshd:setcred): pam_sm_setcred() called Jan 29 13:38:27 lxd1100 sshd[2336]: pam_unix2(sshd:setcred): username=[lxinst] Jan 29 13:38:27 lxd1100 sshd[2336]: pam_unix2(sshd:setcred): pam_sm_setcred: PAM_SUCCESS And here's the faillog display: Login Failures Maximum Latest On lxinst 1 0 01/29/10 13:38:26 -0500 cnu83757xg. Any idea where I've screwed up, or where/how I can look for the real failure? Thanks! Shannon Collinson Systems Programmer, Mainframe Operating Systems SunTrust Banks, Inc. Mail Code GA-ATL-4030 250 Piedmont Ave. NE, Suite 1600 Atlanta, GA 30308 Tel: 404.827.6070 Mobile: 404.642.1280 Fax: 404.581.1688 shannon.collin...@suntrust.com <mailto:shannon.collin...@suntrust.com> Live Solid. Bank Solid. LEGAL DISCLAIMER The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer. SunTrust is a federally registered service mark of SunTrust Banks, Inc. Live Solid. Bank Solid. is a service mark of SunTrust Banks, Inc. [ST:XCL] ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390