The explanation seems to be that pam_tally2 records a failed login when 
login command is started, even before a password is entered. Normally, the 
failed logins counter is reset when the user enters the correct password.

For login this works correctly when the following line is added in pam 
config (common-auth):

auth  required  pam_tally2.so  file=/var/log/tallylog deny=5 even_deny_root 
unlock_time=1200 serialize

However, when using sudo, the counter only gets reset when the following 
line is added to pam configuration (common-account):

account        required        pam_tally2.so

So, the workaround is to add the above line in pam config.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ebd73833-aa88-41ab-93aa-530957a9c85a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to