SUMMARY:
pam_tally:
Maintains a count of attempted accesses, can reset count on success,
can deny access if too many attempts fail.
Options:
* onerr=[succeed|fail] (if something weird happens
such as unable to open the file, what to do?)
* file=/where/to/keep/counts (default /var/log/faillog)
(auth)
* no_magic_root (root DOES increment counter. Use for
daemon-based stuff, like telnet/rsh/login)
(account)
* deny=n (deny access if tally for this user exceeds n;
The presence of deny=n changes the default for
reset/no_reset to reset, unless the user trying to
gain access is root and the no_magic_root option
has NOT been specified.)
* no_magic_root (access attempts by root DON'T ignore deny.
Use this for daemon-based stuff, like telnet/rsh/login)
* even_deny_root_account (Root can become unavailable. BEWARE.
Note that magic root trying to gain root bypasses this,
but normal users can be locked out.)
* reset (reset count to 0 on successful entry, even for
magic root)
* no_reset (don't reset count on successful entry)
This is the default unless deny exists and the
user attempting access is NOT magic root.
Also checks to make sure that the list file is a plain
file and not world writable.
- Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd.
v0.1 5 March 1997
BUGS:
pam_tally is very dependant on getpw*(): a database of usernames
would be much more flexible.
The (4.0 Redhat) utilities seem to do funny things with uid, and I'm
not wholly sure I understood what I should have been doing anyway so
the `keep a count of current logins' bit has been #ifdef'd out and you
can only reset the counter on successful authentication, for now.
