Linux-PAM configuration - Lock after invalid login attempts

Hello everyone

I am trying to configure PAM in OpenSuSE 11.1 to block access to users
after 5 attempts to access invalid, but the configuration I did not
working after 5 invalid attempts the user is not locked, it continues
logging in normally follows below my configuration files.


auth requerid
auth optional debug
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth required
auth required deny=5 magic_root file=/var/
auth required debut


password required debug


session required
session required debug
session optional
session optional
session optional debug


account required debug

could someone explain to me how do I block pam User, the User aah so
theoretically could be released by root after blocked.

very grateful.

On 10/07/2011 03:16 PM, ajmoreti wrote:
> I am trying to configure PAM in OpenSuSE 11.1

-=welcome=- new poster, but openSUSE 11.1 is past its end of life (see…so, perhaps you have SUSE Linux
Enterprise which is still supported?

please show us the terminal output from

cat /etc/issue

openSUSE®, the “German Automobiles” of operating systems

Hi, my OpenSuSE is not SLES , is OpenSuSE 11.1 , already installed on my server for some time.

my issue is modified, personalities, so my motd.

I’m already trying to solve this problem already 15 days,

I always hated working with PAM modules, but with patience you’ll get it working. It appears you left out the line in the account section. Follow this guide

> I’m already trying to solve this problem already 15 days,

as said openSUSE 11.1 has past its end of life, however there is a best
effort project to keep it alive…via the project named Evergreen…

you can use the Evergreen repos to get the vital security updates needed
to keep your 11.1 safe…and, there is a project mailing list, but i
don’t know if they can give the kind of help you are seeking…

i know i can’t help, perhaps a 11.1/PAM guru will come by and know what
the problem is–we can both hope so,…in the mean time you might have
a look at what is available via Evergreen…i mean, maybe you are
fighting against a know problem which was patched just 14 days
ago…have you checked bugzilla??

check Evergreen here:
there you will find a link to the mail list…

and, check back here too…a guru might come through any second!

openSUSE®, the “German Automobiles” of operating systems

follow the tips of the guide that I sent, however did not work, still having problem

You may need to reboot for the config file to be read correctly. One reason I disliked PAM is that the order of the entries in the config file must be correct, and any slight deviation will result in errors and it just won’t work. Change the order of your directives in the config file and keep trying. Check the syslog for hints as to what the problem might be. Keep syslog file open in one terminal and try logging in in another terminal to see what is going on.

Paste your changes to the pam config here.

You also should take the advice to upgrade to a newer version of OpenSuse.


already I’ve been following in the terminal with the command tail-f /var/log/messages.
however not returning errors

my configurations files following:


account required
account required debug
account required uid < 1000 quiet
account required


auth required
auth sufficient nullok try_first_pass
auth requisite uid>= 1000
auth required
auth optional debug
auth required debug


password requiste debug try_first_pass retry=3 difok=0 minlen=6 dcredit=1 ucredit=1 lcredit=1 ocredit=0
password required use_authtok debug
password sufficient md5 shadow nullok try_first_pass
password required


session required
session required debug
session optional
session optional
session optional debug
session optional revoke
session [success=1 default=ignore] service in crond quiet use_uid
session required

Are you sure that’s the latest config file? The original one you posted had a line for pam_tally2, this one does not have any lines for pam_tally2.

Also, the common-account section should be at the bottom. Are you paying any attention at all? You should have two lines with pam_tally2. I don’t know what else I can do to help you, unless you want me the write out the entire file for you? And that I will not do.

I’m done.

Yes, the last file is my setup, I apologize for not explaining better.

Really had to first file posted online pam_tally2, but as I’m setting the cracklib module, this module just removing the line with pam_tally2, need to set the minimum password length, as well as special characters and numbers, when I used the pam-config command to add the module to the cracklib , the system returned a warning that the pam_tally2 conflict with cracklib and oust the.

I apologize for my English.
I’m having difficulties enterd pam, and documents I have found are not helping me much.
but I will not give up.
I am very grateful for the help