System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

pam_tally entries in /etc/pam.d/system-auth

 
SOLVED
Go to solution
MikeL_4
Super Advisor

pam_tally entries in /etc/pam.d/system-auth

I need to add two lines at our autitors suggestion to several servers in our Red Hat Linux environmnet..

auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=3 no_magic_root reset

Do these lines have to be grouped with the other "auth" and "account" lines in the file, or can I just append them to the end of the file ????

To append would be alot easier to do than to figure out the line to add the new lines to the file and insert them..

Thanks
4 REPLIES
Matti_Kurkela
Honored Contributor
Solution

Re: pam_tally entries in /etc/pam.d/system-auth

The most accurate possible answer would be: it depends on your existing configuration.

See: http://www.linux.com/articles/113567

In short, if you have lines beginning with "auth requisite" and/or "account requisite", the ordering will affect which failures are counted and which are not.

Suggestion: learn to use the "diff" and "patch" tools.

For example:
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup
# vi /etc/pam.d/system-auth
# cd /
# diff -u /etc/pam.d/system-auth.backup /etc/pam.d/system-auth >/tmp/pam-settings-change.patch

Now copy /tmp/pam-settings-change.patch to another host, and run:
# cd /
# patch -p0
...and the "patch" tool will apply the change you made on the first host to the second host.
Repeat with 98 other hosts :-)

MK
MK
MikeL_4
Super Advisor

Re: pam_tally entries in /etc/pam.d/system-auth

Tried and received the following error:

[root-(OASIS) ~]# patch -p0 patching file /etc/pam.d/system-auth
Hunk #1 FAILED at 4.
1 out of 1 hunk FAILED -- saving rejects to file /etc/pam.d/system-auth.rej
[root-(OASIS) ~]#
Matti_Kurkela
Honored Contributor

Re: pam_tally entries in /etc/pam.d/system-auth

That means the "patch" tool did not find a matching location to add the lines. As there was only one set of changes to apply and that one set failed, the rejects file will essentially be a copy of the pam-settings-change.patch file. No changes was made to the /etc/pam.d/system-auth, although the patch tool might have already made a backup with the name /etc/pam.d/system-auth.orig.

The contents of the /etc/pam.d/system-auth file on your first host must be significantly different from the one in the second host. In that case, there is really no reliable way to apply the change automatically.

MK
MK
MikeL_4
Super Advisor

Re: pam_tally entries in /etc/pam.d/system-auth

Thanks