Join Log in
Score:1
avatar Ubuntu

pam_tally2 locking everyone out after configuring common-auth file on Ubuntu 20.04

fr flag
A R

I am trying to configure user lockout after 3 unsuccessful attempt. I found instructions on the internet but I always end up with the same problem: after modifying /etc/pam.d/common-auth to include the user lockout settings, EVERYTHING gets locked out for good and the only way to fix this is to plug the drive containing Ubuntu into another Linux machine, open the file and remove the pam_tally2 config.

These are the settings I'm using:

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok
auth    [default=bad success=ok]        pam_tally2.so  deny=3 unlock_time=1200

Can somebody help, please?

90
1 + 2
pam
hr flag
steeldriver
I have no direct experience to offer, but I *think* you also need to add a line to the `common-account` file in order to decrement the tally on success - see for example [Why does this PAM code prevent all logins to a Debian system?](https://unix.stackexchange.com/a/562703/65304)
1
Reply
fr flag
A R
Alright, I put the pam_tally2.so line (the second one in my original post) and it worked, but only if 'unlock_time=1200' is kept. If I remove it (to make this an indefinite lockout) everybody, even admins, gets locked out.
0
Reply
Score:0
avatar Ubuntu
fr flag
A R

steeldriver was right! For future reference:

  1. Put the following line in /etc/pam.d/common-auth:

auth required pam_tally2.so deny=3 unlock_time=1200

Note: it has to be placed FIRST, right before auth [success=1 default=ignore] pam_unix.so nullok

  1. Put the following line: account required pam_tally2.so in /etc/pam.d/common-account

This should be done in order to avoid getting locked out of the entire system (all users, even root!) for good.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.