The pam_tally2 counts a good password as a failed login attempt if "ChallengeResponseAuthentication yes" is set in /etc/ssh/sshd_config file.
Issue
The pam_tally2.so module functionality is not working correctly with ssh. If pam_tally2 is configured to lockout a user account after 3 failed login attempts as below
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
And if ChallengeResponseAuthentication option is enabled in /etc/ssh/sshd_config file.
ChallengeResponseAuthentication yes
Now try to login 3 times with a test user with vaild password the user is able to login. However pam_tally2 counts it as failed login attempt.
On 4th login attempt user is unable to login as account is locked due to maximum number of failed login limit is reached.
[root@test ~]# ssh localuser1@host.example.com
Your account is locked. Maximum amount of failed attempts was reached.
Password:
Environment
- Red Hat Enterprise Linux 5.4
- openssh-server-4.3p2-26.el5
- pam-0.99.6.2-6.el5_4.1
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
