52 lines
2.2 KiB
Plaintext
52 lines
2.2 KiB
Plaintext
|
|
SUMMARY:
|
|
pam_tally:
|
|
|
|
Maintains a count of attempted accesses, can reset count on success,
|
|
can deny access if too many attempts fail.
|
|
|
|
Options:
|
|
|
|
* onerr=[succeed|fail] (if something weird happens
|
|
such as unable to open the file, what to do?)
|
|
* file=/where/to/keep/counts (default /var/log/faillog)
|
|
|
|
(auth)
|
|
* no_magic_root (root DOES increment counter. Use for
|
|
daemon-based stuff, like telnet/rsh/login)
|
|
|
|
(account)
|
|
* deny=n (deny access if tally for this user exceeds n;
|
|
The presence of deny=n changes the default for
|
|
reset/no_reset to reset, unless the user trying to
|
|
gain access is root and the no_magic_root option
|
|
has NOT been specified.)
|
|
|
|
* no_magic_root (access attempts by root DON'T ignore deny.
|
|
Use this for daemon-based stuff, like telnet/rsh/login)
|
|
* even_deny_root_account (Root can become unavailable. BEWARE.
|
|
Note that magic root trying to gain root bypasses this,
|
|
but normal users can be locked out.)
|
|
|
|
* reset (reset count to 0 on successful entry, even for
|
|
magic root)
|
|
* no_reset (don't reset count on successful entry)
|
|
This is the default unless deny exists and the
|
|
user attempting access is NOT magic root.
|
|
|
|
Also checks to make sure that the list file is a plain
|
|
file and not world writable.
|
|
|
|
- Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd.
|
|
v0.1 5 March 1997
|
|
|
|
BUGS:
|
|
|
|
pam_tally is very dependant on getpw*(): a database of usernames
|
|
would be much more flexible.
|
|
|
|
The (4.0 Redhat) utilities seem to do funny things with uid, and I'm
|
|
not wholly sure I understood what I should have been doing anyway so
|
|
the `keep a count of current logins' bit has been #ifdef'd out and you
|
|
can only reset the counter on successful authentication, for now.
|