-
Title
Safeguard Authentication Services and pam_tally2 interaction. User ID's were locking / unlocking automatically, -
Description
Account is locked when authenticating. Pam_tally2 locks the account when the user authenticates regardless of if the login was successful or unsuccessful. User is unable to authenticate again until the account lock has been cleared.
User ID' were locking / unlocking automatically.
-
Cause
Not a Safeguard Authentication Services issue but a pam_tally configuration issue. -
Resolution
The PAM Tally module is part of all Linux distribution. Pam_tally and pam_tally2 are PAM modules that maintains a count or tally of attempts to access.
Pam_tally is used for extra security for stopping authentications after so many tries. It will then lock out the account. pam_tally is not required to be used with authentication services and can be commented out of stack. However if it is used, accounts will need to be managed according to its man page and documentation. Do ‘man pam_tally2‘ from the command line to know more about it.Configuration of Pam tally is outside the scope of QAS Technical support, please refer to the operating system vendor for information on configuration or removal of pam_tally2.so
If you are going to use pam_tally2, it should be below the pam_vas lines in the auth and above the pam_vas lines in account stanzas of the pam stack.
E.G.:
auth required pam_env.soauth sufficient pam_fprintd.soauth sufficient pam_vas3.so create_homedir get_nonvas_passauth requisite pam_vas3.so echo_return
auth required pam_tally2.so file=/var/log/tallylog deny=5auth sufficient pam_unix.so nullok try_first_pass use_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth required pam_deny.so
account required pam_tally2.soaccount sufficient pam_vas3.soaccount requisite pam_vas3.so echo_returnaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount required pam_permit.so -
Change Request
22036 -
Additional Information
To reset a user:
pam_tally2 --user <username> --reset
Show all of the accounts with locks:
pam_tally2
Unlock all accounts with:
pam_tally2 --reset