SUMMARY: pam_tally: Maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. Options: * onerr=[succeed|fail] (if something weird happens such as unable to open the file, what to do?) * file=/where/to/keep/counts (default /var/log/faillog) (auth) * no_magic_root (root DOES increment counter. Use for daemon-based stuff, like telnet/rsh/login) (account) * deny=n (deny access if tally for this user exceeds n; The presence of deny=n changes the default for reset/no_reset to reset, unless the user trying to gain access is root and the no_magic_root option has NOT been specified.) * no_magic_root (access attempts by root DON'T ignore deny. Use this for daemon-based stuff, like telnet/rsh/login) * even_deny_root_account (Root can become unavailable. BEWARE. Note that magic root trying to gain root bypasses this, but normal users can be locked out.) * reset (reset count to 0 on successful entry, even for magic root) * no_reset (don't reset count on successful entry) This is the default unless deny exists and the user attempting access is NOT magic root. Also checks to make sure that the list file is a plain file and not world writable. eg: In pam.conf: # This line counts logins, successful or failed login auth required /lib/security/pam_tally.so no_magic_root # This line fails logins if the count is too high, but permits logins # and resets the counter again if the count wasn't too high. This line is # not useful without the auth line. (I've been told this should be # 'requisite' not 'required', but 'required' works for me.) login account required /lib/security/pam_tally.so deny=3 no_magic_root As root: (I keep faillog world-readable so users can check their status, but it could be chmod 600) # touch /var/log/faillog # chmod 644 /var/log/faillog Note that running `make' should produce pam_tally.so and an application pam_tally: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet] --file denotes which file is the faillog file --user nominates a user to handle. May not be numeric id, just now. --reset resets --user if nominated (or all users) to 0 --reset=n resets --user (all is unavailable) to n --quiet quite quiet. :) - Tim Baverstock v0.1 5 March 1997 BUGS: pam_counter is very dependant on getpw*(): a database of usernames would be much more flexible. The (Redhat) utilities seem to do funny things with uid, and I'm not wholly sure I understood what I should have been doing anyway, so the `keep a count of current logins' bit has been #ifdef'd out, and you can only reset the counter on successful authentication, for now.