Why did I get two failed logins for every failed attempt?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5.5

Issue

  • When a user gives a bad password they get 2 failed attempts. Also, while changing password, it prompts for twice (need to enter new password total 4 times). Here is an example for user temp.

    

$ su - temp
Password:
su: incorrect password




# faillog
Login       Failures Maximum Latest                   On
temp            2        0   02/07/11 09:05:41 -0800  pts/0


# passwd temp
Changing password for user temp.
New UNIX password:
Retype new UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Resolution

Modify auth and password sections in /etc/pam.d/system-auth-ac file as follows.

auth        required     pam_env.so
auth        required     pam_tally.so onerr=fail deny=4 unlock_time=1800
auth        sufficient     pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required     pam_deny.so




password    required     pam_cracklib.so minlen=8 ucredit=-1 dcredit=-1 ocredit=-1 difok=3
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient     pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=4
password    required     pam_deny.so

Root Cause

There were two entries for pam_tally.so and unix.so which caused this issue. Here is the /etc/pam.d/system-auth-ac file.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail deny=4 unlock_time=1800
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        required      pam_tally.so    deny=4

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_tally.so

password    required      pam_cracklib.so minlen=8 ucredit=-1 dcredit=-1 ocredit=-1 difok=3
password    required      pam_unix.so md5 remember=4 use_authok
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Diagnostic Steps

Get  /etc/pam.d/system-auth-ac from the subjected machine.

  • Component
  • pam

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.