[Pkg-shadow-devel] useradd should clear tallylog

Josef Moellers jmoellers at suse.de
Mon Sep 26 07:05:53 UTC 2016 

Hi,

Next to faillog and lastlog, there is a PAM module (pam_tally2.so) which
maintails a "tallylog" file similar to "faillog". I was tasked to amend
"useradd" to also clear the new user's tallylog file entry, as it may
contain data from a previous owner of the new user's UID (*) to the
extent that the new user is immediately locked out of the system if the
previous user had too many failed login attempts.

The cure is easy: just clear the tallylog file entry for the new user's
UID, and this should be done automagically by "useradd" just like for
the faillog and lastlog entries.

My main problem is that the layout (and thus the size) of the file's
entries is defined in the PAM modules' source code rather than in
/usr/include or somewhere similar where it can be picked up by anybody.
I now see two possibilities to clear the log from within "useradd":
1) the account management of pam_tally2.so already clears the log of the
given user (it is cleared on every successful authentication), so I
would need to add authentication and account management of PAM for the
new user (it is already in place for the calling user); however, I'm
afraid that this may have unwanted side-effects (authentication of the
new user? I'm not yet *that* familiar with PAM).
2) PAM also creates a management binary, conveniently from pam_tally2's
sources and called pam_tally2, which can be used to clear a given user's
tallylog entry by calling it with the "--reset" option.

I think the cleanest way to have "useradd" clear the new user's tallylog
entry would be to call the pam_tally2 binary, if it is available.

Any other ideas, comments? Thanks,

Josef, new kid on the block

(*) Using "useradd", create a new user, use pam_tally2 to set the user's
"failed" counter ("pam_tally2 --user <old user's name> --reset=<n>"),
then delete the user with userdel. Then create a new user with the same
UID and use pam_tally2 to check the new user's "failed" counter
("pam_tally2 --user <new user's name>").

More information about the Pkg-shadow-devel mailing list