Thanks. My failure was putting the pam_tally2 module *after* the "@include common-auth" instead of before it. The only working example I have at hand is a RedHat 5.10 system where pam_tally (not pam_tally2) follows the whole "system-auth" stack, rather than precedes it. Thanks again.....Nick
On Tue, Feb 23, 2016 at 3:26 PM, Reco <recovery...@gmail.com> wrote: > Hi. > > On Tue, 23 Feb 2016 14:52:59 -0600 > Nicholas Geovanis <nickgeova...@gmail.com> wrote: > > > Debian 8 jessie. > > The goal is to block SSH logins with multiple incorrect password tries. > > I've added these lines to my /etc/pam.d/sshd file: > > > > auth optional pam_echo.so Before sshd pam_tally > > auth required pam_tally2.so file=/var/log/tallylog deny=3 audit > > onerr=fail > > auth optional pam_echo.so After sshd pam_tally > > > > I receive the pam_echo lines OK. But no matter what, failed passwords > never > > increment the pam_tally2 failure count. "UsePAM yes" is specified in > > /etc/ssh/sshd_config. This must be the wrong location for pam_tally2.so > but > > experiments haven't helped me find the right location. Has someone a > > working configuration they would share? Many thanks....Nick > > A typical run-of-the-mill Jessie system here. > I just put your pam_tally2 configuration (I skipped pam_echo though) > into /etc/pam.d/sshd *before* the '@include common-auth' line. > Created /var/log/tallylog file. > Tested it with 'ssh -o PreferredAuthentications=password <host>'. > > Everything worked as expected - i.e. PAM module > filled /var/log/tallylog with own blob, and /sbin/pam_tally2 shows > failed login counter increments. > > Reco > >
