pam_tally2(8) - Linux manual page (2024)

man7.org > Linux > man-pages

Linux/UNIX system programming training

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | MODULETYPESPROVIDED | RETURNVALUES | NOTES | EXAMPLES | FILES | SEEALSO | AUTHOR | COLOPHON

PAM_TALLY2(8) Linux-PAM Manual PAM_TALLY2(8)

NAME top

 pam_tally2 - The login counter (tallying) module

SYNOPSIS top

 pam_tally2.so [file=/path/to/counter] [onerr=[fail|succeed]] [magic_root] [even_deny_root] [deny=n] [lock_time=n] [unlock_time=n] [root_unlock_time=n] [serialize] [audit] [silent] [no_log_info] [debug] pam_tally2 [--file /path/to/counter] [--user username] [--reset[=n]] [--quiet]

DESCRIPTION top

 This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the PAM module and the latter, a stand-alone program. pam_tally2 is an (optional) application which can be used to interrogate and manipulate the counter file. It can display user counts, set individual counts, or clear all counts. Setting artificially high counts may be useful for blocking users without changing their passwords. For example, one might find it useful to clear all counts every midnight from a cron job. Normally, failed attempts to access root will not cause the root account to become blocked, to prevent denial-of-service: if your users aren't given shell accounts and root may only login via su or at the machine console (not telnet/rsh, etc), this is safe.

OPTIONS top

 GLOBAL OPTIONS This can be used for auth and account module types. onerr=[fail|succeed] If something weird happens (like unable to open the file), return with PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM error code. file=/path/to/counter File where to keep counts. Default is /var/log/tallylog. audit Will log the user name into the system log if the user is not found. silent Don't print informative messages. no_log_info Don't log informative messages via syslog(3). debug Always log tally count when it is incremented as a debug level message to the system log. AUTH OPTIONS Authentication phase first increments attempted login counter and checks if user should be denied access. If the user is authenticated and the login process continues on call to pam_setcred(3) it resets the attempts counter. deny=n Deny access if tally for this user exceeds n. lock_time=n Always deny for n seconds after failed attempt. unlock_time=n Allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator. magic_root If the module is invoked by a user with uid=0 the counter is not incremented. The sysadmin should use this for user launched services, like su, otherwise this argument should be omitted. even_deny_root Root account can become unavailable. root_unlock_time=n This option implies even_deny_root option. Allow access after n seconds to root account after failed attempt. If this option is used the root user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. serialize Serialize access to the tally file using locks. This option might be used only for non-multithreaded services because it depends on the fcntl locking of the tally file. Also it is a good idea to use this option only in such configurations where the time between auth phase and account or setcred phase is not dependent on the authenticating client. Otherwise the authenticating client will be able to prevent simultaneous authentications by the same user by simply artificially prolonging the time the file record lock is held. ACCOUNT OPTIONS Account phase resets attempts counter if the user is not magic root. This phase can be used optionally for services which don't call pam_setcred(3) correctly or if the reset should be done regardless of the failure of the account phase of other modules. magic_root If the module is invoked by a user with uid=0 the counter is not changed. The sysadmin should use this for user launched services, like su, otherwise this argument should be omitted.

MODULE TYPES PROVIDED top

 The auth and account module types are provided.

RETURN VALUES top

 PAM_AUTH_ERR A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins. PAM_SUCCESS Everything was successful. PAM_USER_UNKNOWN User not known.

NOTES top

 pam_tally2 is not compatible with the old pam_tally faillog file format. This is caused by requirement of compatibility of the tallylog file format between 32bit and 64bit architectures on multiarch systems. There is no setuid wrapper for access to the data file such as when the pam_tally2.so module is called from xscreensaver. As this would make it impossible to share PAM configuration with such services the following workaround is used: If the data file cannot be opened because of insufficient permissions (EACCES) the module returns PAM_IGNORE.

EXAMPLES top

 Add the following line to /etc/pam.d/login to lock the account after 4 failed logins. Root account will be locked as well. The accounts will be automatically unlocked after 20 minutes. The module does not have to be called in the account phase because the login calls pam_setcred(3) correctly. auth required pam_securetty.so auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 auth required pam_env.so auth required pam_unix.so auth required pam_nologin.so account required pam_unix.so password required pam_unix.so session required pam_limits.so session required pam_unix.so session required pam_lastlog.so nowtmp session optional pam_mail.so standard

FILES top

 /var/log/tallylog failure count logging file

SEE ALSO top

 pam.conf(5), pam.d(5), pam(8)

AUTHOR top

 pam_tally2 was written by Tim Baverstock and Tomas Mraz.

COLOPHON top

 This page is part of the linux-pam (Pluggable Authentication Modules for Linux) project. Information about the project can be found at ⟨http://www.linux-pam.org/⟩. If you have a bug report for this manual page, see ⟨//www.linux-pam.org/⟩. This page was obtained from the tarball Linux-PAM-1.3.0.tar.bz2 fetched from ⟨http://www.linux-pam.org/library/⟩ on 2021-08-27. If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which is not part of the original manual page), send a mail to man-pages@man7.orgLinux-PAM Manual 04/01/2016 PAM_TALLY2(8)

HTML rendering created 2021-08-27 by Michael Kerrisk, author of The Linux Programming Interface, maintainer of the Linux man-pages project.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

pam_tally2(8) - Linux manual page (2024)

FAQs

What can I use instead of pam_tally2 since it is unavailable in RHEL 8? ›

pam_tally2 command not found RHEL 8 because command pam_tally2 is deprecated and replaced by faillock command. This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. pam_tally2 comes in two parts: pam_tally2.so and pam_tally2.

What replaced pam_tally2? ›

pam_tally2 is deprecated in RHEL8 and pam_faillock should be used in EL7 and EL8 instead.

What is pam_tally2 in Linux? ›

pam_tally2 is an (optional) application which can be used to interrogate and manipulate the counter file.

How do I access manual pages in Linux? ›

Type ` man` followed by the command name to find its manual page. For example, ` man mkdir` will show you the manual page for the `mkdir` command. Using the ` -k` option: Want to search for keywords across all manual pages? Use man -k followed by your keyword(s).

How to downgrade kernel version in RHEL 8? ›

To downgrade the kernel in RHEL8, you need to follow specific steps. During the update process, some packages for the old kernel might have been removed. Confirm that the following necessary packages with the same version as the old kernel are installed on the system using rpm -q <package_name>.

How to check last failed login attempts in Linux? ›

The basic command to list all SSH failed login attempts is # grep "Failed password" /var/log/auth. log. The same can be achieved by executing the cat command # cat /var/log/auth. log | grep "Failed password".

What is the Faillock command in Linux? ›

The command faillock manages the pam_faillock module, which handles user login attempts and locking on many distributions. This is deliberately indistinguishable from an incorrect password to prevent an attacker from discerning what accounts exist on the system.

What is Pam_faillock so? ›

The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny parameter in the faillock configuration).

How do I check if a user account is locked in Linux? ›

The passwd command can be used to list all the users that are locked in your system. To list locked user accounts, you can use the -S option to display the status of each account, and then filter for “L” (locked) accounts.

How do I resolve errors in Linux? ›

You can use the fsck tool which is used in ubuntu in order to fix different types of errors that we get in the linux filesystems such as ubuntu, you can run the fsck tool via terminal or by rebooting your system and entering the GNU menu by pressing shift button.

What is the maximum number of SSH authentication attempts? ›

By default, the maximum number of authentication attempts for SSH users is 3. You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only for the users at next login.

How to install manual pages in Linux? ›

For installing a man page of a command, we must copy the corresponding man page file to one of the /usr/local/share/man/man1 or /usr/share/man/man1 directories. But, if the man page is for a function in a program library, the directory must be either the /usr/local/share/man/man3 or /usr/share/man/man3.

What are manual pages in Linux called? ›

A man page (short for manual page) is a form of software documentation usually found on a Unix or Unix-like operating system. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.

What command displays manual pages? ›

The man command converts the HTML file into a formatted text file to fit on the display, and displays the manual page using the command described by the PAGER environment variable.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Arline Emard IV

Last Updated:

Views: 6220

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Arline Emard IV

Birthday: 1996-07-10

Address: 8912 Hintz Shore, West Louie, AZ 69363-0747

Phone: +13454700762376

Job: Administration Technician

Hobby: Paintball, Horseback riding, Cycling, Running, Macrame, Playing musical instruments, Soapmaking

Introduction: My name is Arline Emard IV, I am a cheerful, gorgeous, colorful, joyous, excited, super, inquisitive person who loves writing and wants to share my knowledge and understanding with you.