Package: libpam-modules somebody somewhere came up with this misuse of tally's "deny" option applying it to the account phase and it's been propagated all over the internet (evidenced today during my search for pam_tally examples).
deny is listed under auth options, not account options. if you put "auth required pam_tally.so deny=4" before pam_unix (or common-auth), then the entered password will never even be processed by pam_unix or any other "real" auth module. the only purpose of using pam_tally in the account phase is to reset (or decrement) the count upon successful login. all account options listed in the man page relate to that functionality. just because all options are allowed during the account phase, doesn't mean they should; refer to the documentation. my recommendation is that this bug should be closed and attributed to user (mis)configuration (or re-file as a wishlist bug since auth and account options should only be allowed in the proper phase). corey -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
