pam_tally2 causing unwanted lockouts with SCOM or Nervecenter

Question

We use pam_tally2 in our system-auth config file which works fine for users. With services such as SCOM or Nervecenter it causes lockouts.

Same behavior on RHEL5 and RHEL6

This is /etc/pam.d/nervecenter

#%PAM-1.0
# Sample NerveCenter/RHEL6 PAM configuration
# This PAM registration file avoids use of the deprecated pam_stack.so module.
auth         include    system-auth
account      required   pam_nologin.so
account      include    system-auth

and this is /etc/pam.d/system-auth

auth       sufficient     pam_centrifydc.so
auth       requisite      pam_centrifydc.so deny
account    sufficient     pam_centrifydc.so
account    requisite      pam_centrifydc.so deny
session    required       pam_centrifydc.so homedir
password   sufficient     pam_centrifydc.so try_first_pass
password   requisite      pam_centrifydc.so deny
auth        required      pam_tally2.so deny=6 onerr=fail
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 minclass=3  minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=1
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=8
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

The login does work but it also triggers the pam_tally counter up until it hits 6 "false" logins.

Is there any pam-ninjas around that could spot the issue?

Thanks.

Answer 1

I found the problem.

Reading through some of the bugs and issues

• https://bugzilla.redhat.com/show_bug.cgi?id=707660
• http://www.redhat.com/archives/pam-list/2008-July/msg00017.html

pam_tally2 needs to be specified for auth and account. This will reset its counter when the login was successful.

Changing it to the following has fixed the problem

auth        required      pam_tally2.so deny=6 onerr=fail
account     required      pam_tally2.so

Main reason was that SCOM was trying different authentication methods. While some failed one was successful. The problem was that the counter never reset itself.