The explanation seems to be that pam_tally2 records a failed login when 
login command is started, even before a password is entered. Normally, the 
failed logins counter is reset when the user enters the correct password.

For login this works correctly when the following line is added in pam 
config (common-auth):

auth  required  file=/var/log/tallylog deny=5 even_deny_root 
unlock_time=1200 serialize

However, when using sudo, the counter only gets reset when the following 
line is added to pam configuration (common-account):

account        required

So, the workaround is to add the above line in pam config.

You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to