Friday, August 19, 2011

Lock account in linux using pam_tally or pam_tally2

pam_tally pam module can be used to lock a account after centain number of failed login attempt. For example if you want to lock user after 3 failed login attempt. Then configure you /etc/pam.d/system-auth file in following ways


auth required pam_tally.so onerr=fail deny=3

(Remember to put this line above the line auth required pam_unix.so)

account required pam_tally.so reset

Now save the system-auth file and try it with some user. This worked for my RHEL 5.4 system.

But suppose you have some extended requirement to lock user for few seconds or minutes after invalid login attempts. You can try pam_tally2 pam module. Like in following statement unlock_time is 5 minute after get locked for 3 unsuccessful login attempt. Edit for /etc/pam.d/system-auth file in following ways

auth required pam_tally2.so deny=3 unlock_time=300

To get information about when last invalid login attempted you can use following command

root#pam_tally2 -u

To manually Unlock the account use following command

root#pam_tally2 -r -u

To get help try command man pam_tally 2 .