Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#42120 - [pambase] /etc/pam.d/system-login configured with deprecated pam_tally module

Attached to Project: Arch Linux
Opened by Patrick Goetz (pgoetz) - Thursday, 25 September 2014, 21:08 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 January 2019, 15:31 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No


Description: From the pam_tally man page: "pam_tally has several limitations, which are solved with pam_tally2. For this reason pam_tally is deprecated and will be removed in a future release." pam_tally2 is available on the current system, why is pam_tally still included in /etc/pam.d/system-login by default?

Additional info:
* package version: pambase 20130928-1
This task depends upon

Closed by  Dave Reisner (falconindy)
Saturday, 05 January 2019, 15:31 GMT
Reason for closing:  Fixed
Additional comments about closing:  testing/pambase-20190105.1-1
Comment by Ingo Albrecht (indigo) - Saturday, 18 June 2016, 09:51 GMT
I would like to document two points here, in case the FS# gets work:

1. When changing to pam_tally2, it should be considered to add it to
in the stack as well. Reason: If using sudo to authenticate, the counter for the user will otherwise not be reset on authenticate success - i.e. the user will eventually be locked out no matter what. References: [1] [2]

2. There is a recent (06/2016) bug report on pam upstream, which introduces yet another pam module to replace both pam_tally/pam_tally2.[3] - the bug progress should be checked to avoid changing the stack twice, if [3] eventually gets through.

Comment by Doug Newgard (Scimmia) - Friday, 12 August 2016, 13:48 GMT
Ping falconindy, looks like we have a side effect from this in  FS#50369 
Comment by Dave Reisner (falconindy) - Saturday, 05 January 2019, 15:31 GMT
pambase-20190105.1-1 now uses pam_tally2 with the recommendations here.