Re: pam_tally2 with sshd

[Nicholas Geovanis <nickgeovanis@gmail.com>]

Thanks. My failure was putting the pam_tally2 module *after* the "@include common-auth" instead of before it. The only working example I have at hand is a RedHat 5.10 system where pam_tally (not pam_tally2) follows the whole "system-auth" stack, rather than precedes it. Thanks again.....Nick

On Tue, Feb 23, 2016 at 3:26 PM, Reco <recoverym4n@gmail.com> wrote:

        Hi.

On Tue, 23 Feb 2016 14:52:59 -0600
Nicholas Geovanis <nickgeovanis@gmail.com> wrote:

> Debian 8 jessie.
> The goal is to block SSH logins with multiple incorrect password tries.
> I've added these lines to my /etc/pam.d/sshd file:
>
> auth    optional        pam_echo.so Before sshd pam_tally
> auth    required        pam_tally2.so file=/var/log/tallylog deny=3 audit
> _onerr_=fail
> auth    optional        pam_echo.so After sshd pam_tally
>
> I receive the pam_echo lines OK. But no matter what, failed passwords never
> increment the pam_tally2 failure count. "UsePAM yes" is specified in
> /etc/ssh/sshd_config. This must be the wrong location for pam_tally2.so but
> experiments haven't helped me find the right location. Has someone a
> working configuration they would share? Many thanks....Nick

A typical run-of-the-mill Jessie system here.
I just put your pam_tally2 configuration (I skipped pam_echo though)
into /etc/pam.d/sshd *before* the '@include common-auth' line.
Created /var/log/tallylog file.
Tested it with 'ssh -o PreferredAuthentications=password <host>'.

Everything worked as expected - i.e. PAM module
filled /var/log/tallylog with own blob, and /sbin/pam_tally2 shows
failed login counter increments.

Reco