The pam_tally2 counts a good password as a failed login attempt if "ChallengeResponseAuthentication yes" is set in /etc/ssh/sshd_config file.

Solution Verified - Updated -

Issue

The pam_tally2.so module functionality is not working correctly with ssh. If pam_tally2 is configured to lockout a user account after 3  failed login attempts as below

auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=300

And if ChallengeResponseAuthentication option is enabled in /etc/ssh/sshd_config file.

     ChallengeResponseAuthentication yes

Now try to login 3 times with a test user with vaild password the user is able to login. However pam_tally2 counts it as failed login attempt.

On 4th login attempt user is unable to login as account is locked due to maximum number of failed login limit is reached.

[root@test ~]# ssh localuser1@host.example.com

Your account is locked. Maximum amount of failed attempts was reached.
Password:

Environment

  • Red Hat Enterprise Linux 5.4
  • openssh-server-4.3p2-26.el5
  • pam-0.99.6.2-6.el5_4.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content