Package: libpam-modules
Version: 1.3.1-5
Severity: normal
Dear maintainers,
quite some time, quite some Debian releases ago, I found during a Linux
training I held that faillog would not display anything anymore, while
lastlog still does.
Finally I took time to research this a bit. I learned quickly that
pam_tally is required for it to work. However it is not enabled by
default in Debian, `grep tally /etc/pam.d/*' does not return any results.
I digged on the internet I found Red Hat apparently removed it during
RHEL 5 development already. I digged in libpam-modules Debian changelog
and NEWS file and found nothing about 'faillog' or pam_tally.
However in the manpage 'pam_tally(8)' I found:
pam_tally has several limitations, which are solved with
pam_tally2. For this reason pam_tally is deprecated and will be
removed in a future release.
'pam_tally2' is included in Debian, yet also not enabled. And its file
format is not compatible with 'faillog', as manpage 'pam_tally2(8)' states:
pam_tally2 is not compatible with the old pam_tally faillog
file format. This is caused by requirement of compatibility of
the tallylog file format between 32bit and 64bit architectures
on multiarch systems.
So by default the Debian system contains a command that does not work out
of the box. And experienced user can dig up how to enable pam_tally, yet
this situation is still somehow inconsistent.
pam_tally2 has a command 'pam_tally2', but pam_tally2 by default is also
not enabled.
However there is 'lastb' command which displays the last failed login
attempt for each user. I am going to use that for the training for now
and mention that faillog is dysfunctional unless pam_tally is enabled,
which is deprecated.
Not sure what the best resolution for Debian would be. Maybe just a note
in NEWS.Debian or… something else?
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.8.0-rc2-tp520 (SMP w/4 CPU cores; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled
Versions of packages libpam-modules depends on:
ii debconf [debconf-2.0] 1.5.74
ii libaudit1 1:2.8.5-3+b1
ii libc6 2.30-8
ii libdb5.3 5.3.28+dfsg1-0.6
ii libpam-modules-bin 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux13.0-1+b3
libpam-modules recommends no packages.
libpam-modules suggests no packages.
-- debconf-show failed