PAM Frequently Asked Questions


1) PAM_login_limit is not working, what do I do?
Check that the entry BEFORE the login_limit line has a control flag
of sufficient.

If the pam.conf is configured correctly you have to turn on debugging (see 2) and 3).
Then look at the error messages sent to syslog.

Check that the login_limit file entry is correct:
# login_limit <user_name>
     <user_name>: 0       Fri Mar 11 05:41:52 2005       No Timeout Set

If necessary clear the count for the user:
# login_limit -c <user_name>

Check the account is not locked:
# grep <user_name> /etc/shadow
<user_name>:*LK*:12852::::::

2) How do I turn on debugging?
Add the debug flag to the pam line. This will generate auth.debug messages
to syslog.

for example:
login   auth required           pam_login_limit.so.1 debug debug debug lock_account

You can add multiple debug options. More options turn on more and more
debugging. Be aware that level three debugging will reveal passwords
in the pam_history module. Normally two debug options gives the best
tradeoff between verbosity and helpfullness.

You must also have syslog catch these messages. In /etc/syslog.conf
check that auth.debug is being captured.

You need a line similar to ONE of the following:

auth.debug			ifdef(`LOGHOST', /var/log/authlog, @loghost)
auth.debug			/var/log/authlog

If the machine is logging to a central loghost use the first line,
otherwise use the second line.

Make sure the file exists if logging locally
# touch /var/log/authlog

Restart syslog
# pkill -HUP syslogd


3) How do I turn on PAM infrastructure debugging?
The pam library also includes debugging. This is controlled by the
library checking for the existance of the /etc/pam_debug file. If the
file exists additional infrastructure debugging is sent to syslog at
auth.debug. See above for how to capture this output.

4) SSH isn't working with login_limit
The ssh daemon uses PAM optionally. Make sure the UsePAM option is
set to true.  Ensure that the 'other' or 'sshd' entries are using the
pam_login_limit module.

If ssh is using RSA based authentication then the PAM system is not
consulted for authentication, and cannot lock the account.

5) Console login does not work, or allows passwordless login
This typically happens because the pam_dial_auth pam module is the one
changed to "sufficient".  pam_dial_auth returns the code OPTIONAL which
is ignored by sufficient in later versions of Solaris, and was considered
OK in earler version of Solaris.

To correct this behaviour change the order of the required modules, so
that pam_unix_auth is the last module, and has its control flag changed
to sufficient.