{ 17 comments… read them below or add one }

1 Atanu Banerjee January 1, 2008 at 11:01 am

How to enable the same setting in SuSE Linux environment?


2 Vasudeva March 3, 2008 at 8:59 pm

lock_time & unlock_time options are not working on redhat 4 (2.6.9-55.0.2.ELsmp). I am getting error message “pam_tally: unknown option; unlock_time=100″ and pam_tally: unknown option; lock_time=120. We have pam version : pam-0.77-66.21. Do this version support lock_time & unlock_time options ?


3 vijay mane March 4, 2008 at 7:58 am

one of the best sites where person like mw can get lot of knowledge


4 kadir January 13, 2013 at 3:54 pm



5 Vasudeva April 11, 2008 at 8:27 pm

Can we exclude PAM modules for certain groups? This is for some particular application group need to disable PAM modules .


6 mjp November 10, 2008 at 11:05 pm

At least for CentOS 5 the only valid options for the account phase are magic_root and no_reset, all other should be in the auth phase


7 lalit December 21, 2009 at 5:51 am

Hi, i tried this to add account locked out policy in rhel 5.0 but this is not working

i go to /etc/pam.d/system-auth file and add both lines in it

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180

after that i checked faillog -u lalit (username)
it shows faillog but when tried to check it is lock the account or not it is not working

if u have anyother way then please help me ..


8 barney griggs June 9, 2010 at 10:13 pm

Anyone have any Idea why Centos 5.2 would take every login as a failure when setting up for lockout after X failed attempts?


9 J.C. Denton March 21, 2011 at 11:39 am

* barney griggs, to lock a user out I’d rather use “faillog”: /usr/bin/faillog -u ACCOUNT -m 10 -l 60

* lalit, you should try remove items from the line: account required pam_tally.so deny=3 no_magic_root lock_time=180


10 dinesh kumart April 16, 2011 at 3:14 am

very good


11 krishna June 13, 2011 at 7:36 am

good ……………. :)


12 Arpit Tolani October 13, 2011 at 9:00 am

This contains wrong information, there cannot be deny in Account section of pam_tally.so


13 nigoor April 4, 2012 at 10:34 am

all of the above is not working


14 Stephen May 21, 2012 at 1:51 pm

The following worked for me,

if you’re using pam_tally use
pam_tally –reset –user

If you’re using pam_tally2, which is typical in rhel6 use
pam_tally2 -r -u


15 kadir January 13, 2013 at 3:57 pm

$ vi /etc/pam.d/system-auth
My file doesnt contain mentined lines;

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
#auth sufficient pam_plesk.so try_first_pass
auth required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so try_first_pass retry=3
#password optional pam_plesk.so try_first_pass
password sufficient pam_unix.so try_first_pass use_authtok nullok md5
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so


16 Hari Avalakonda July 25, 2013 at 2:56 pm

Add below two lines to system-auth file

auth required pam_tally.so per_user deny=5 no_magic_root unlock_time=180
password required pam_cracklib.so try_first_pass retry=5 no_magic_root lock_time=180

The above lines used for account lock for 180 Sec and unlock afgter 180 Sec.

Hari Mani Kandan.A


17 J.C. Denton November 16, 2013 at 11:44 am

Maybe you like this:

denton@tron:~$ ls -slapht /etc/cron.daily/faillog
4,0K -rwxr-xr-x 1 root root 963 14. Nov 2010 /etc/cron.daily/faillog
denton@tron:~$ cat /etc/cron.daily/faillog
+++ +++ +++
# TRON-DELTA.ORG / faillog (ANACRON) / v1.3.02
sAccAll=$(cat /etc/passwd | cut -d”:” -f1)
sAccRem=’root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody libuuid dhcp syslog klog hplip avahi-autoipd gdm messagebus avahi polkituser haldaemon ntp statd clamav mysql saned debian-tor privoxy festival’
sCounter=$(wc -l “/etc/passwd” | cut -d ‘ ‘ -f1)
while [ $iCounter -le $sCounter ]
slAccAll=$(echo $sAccAll | cut -d ‘ ‘ -f $iCounter)
slAccRem=$(echo $sAccRem | cut -d ‘ ‘ -f $iCounter)
if [ “$slAccAll” != “$slAccRem” ] && [ “$slAccAll” != “” ] && [ “$slAccRem” = “” ]
/usr/bin/faillog -u $slAccAll -m 10 -l 60
iCounter=`expr $iCounter + 1`
echo “User accounts successfully setup with faillog: $(date)” >> /var/log/cron/security.log
+++ +++ +++
For explaination: That script will execute on a daily basis and set all self-defined accounts with -m 10 -l 60. I wrote it to make sure all accounts of “ordinary” users are configured correctly at all times in way so that no one has to worry about it anymore. There is room for optimization however. :)


Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: