What does the message "PAM service(*) ignoring max retries" mean?
Issue
I am getting the following in messages after failed login attempts using pam_tally. What does that mean? What is the best practices in Red Hat Enterprise Linux 5 for using pam_tally?
PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx user=xxx
PAM service(sshd) ignoring max retries; 4 > 3
Environment
- Red Hat Enterprise Linux 5
- PAM
Diagnostic Steps (internal)
-
PAM configuration file, system-auth, is the first suspect to make this issue because there are plenty of PAM messages, including pam_tally errors, in /var/log/secure and the "ignoring max retries" message is also left many times.
sshd[21529]: pam_tally(sshd:account): option deny=3 allowed in auth phase only sshd[21529]: pam_tally(sshd:account): unknown option: no_magic_root sshd[21529]: pam_tally(sshd:account): unknown option: reset sshd[21626]: pam_tally(sshd:auth): unknown option: no_magic_root sshd[21626]: pam_tally(sshd:auth): unknown option: reset sshd[21685]: pam_tally(sshd:auth): unknown option: no_magic_root sshd[21685]: pam_tally(sshd:auth): unknown option: reset sshd[3781]: pam_tally(sshd:auth): unknown option: no_magic_root sshd[3781]: pam_tally(sshd:auth): unknown option: reset .... sshd[4195]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxx user=admuser sshd[4206]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxp user=admuser sshd[4206]: PAM service(sshd) ignoring max retries; 4 > 3 sshd[4239]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxx user=admuser .... -
In despite of many attempts to reproduce the problem, the message does not appear in the test system with the corrected configuration and the same environment. Actually, it dose not happen no matter which option is used.
auth required pam_env.so auth required pam_tally.so onerr=fail deny=3 magic_root auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_tally.so magic_root account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=1 retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=24 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so -
To find the root-cause out, need to know where the message came from. The following code is a part of pam sources:
#define UNIX_MAX_RETRIES 3 .... if (retval == PAM_SUCCESS) { if (data_name) /* reset failures */ pam_set_data(pamh, data_name, NULL, _cleanup_failures); .... static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err) { .... if (failure->count > UNIX_MAX_RETRIES) { pam_syslog(pamh, LOG_ALERT, "service(%s) ignoring max retries; %d > %d", service == NULL ? "**unknown**" : (const char *)service, failure->count, UNIX_MAX_RETRIES); } ....UNIX_MAX_RETRIES is a constant and it is always 3. The message is logged by _cleanup_failures function if the failed login attempts are more than 3. The function is called when a user login the system successfully. So, this log is not a problem but information, and it could not make any trouble to pam_tally configuration.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
