5 Maintains a count of attempted accesses, can reset count on success,
6 can deny access if too many attempts fail.
10 * onerr=[succeed|fail] (if something weird happens
11 such as unable to open the file, what to do?)
12 * file=/where/to/keep/counts (default /var/log/faillog)
15 * no_magic_root (root DOES increment counter. Use for
16 daemon-based stuff, like telnet/rsh/login)
19 * deny=n (deny access if tally for this user exceeds n;
20 The presence of deny=n changes the default for
21 reset/no_reset to reset, unless the user trying to
22 gain access is root and the no_magic_root option
23 has NOT been specified.)
25 * no_magic_root (access attempts by root DON'T ignore deny.
26 Use this for daemon-based stuff, like telnet/rsh/login)
27 * even_deny_root_account (Root can become unavailable. BEWARE.
28 Note that magic root trying to gain root bypasses this,
29 but normal users can be locked out.)
31 * reset (reset count to 0 on successful entry, even for
33 * no_reset (don't reset count on successful entry)
34 This is the default unless deny exists and the
35 user attempting access is NOT magic root.
37 Also checks to make sure that the list file is a plain
38 file and not world writable.
40 - Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd.
45 pam_tally is very dependant on getpw*(): a database of usernames
46 would be much more flexible.
48 The (4.0 Redhat) utilities seem to do funny things with uid, and I'm
49 not wholly sure I understood what I should have been doing anyway so
50 the `keep a count of current logins' bit has been #ifdef'd out and you
51 can only reset the counter on successful authentication, for now.
projects / FreeBSD / FreeBSD.git / blob