pam_tally

pam_tally2 [-u ] [-r] [-l] [-f ] [-h] [-V]

-u
    Specify the username for which to display or reset the failed login tally. If omitted, the command typically lists tallies for all users with failed attempts (when combined with -l or default behavior).

-r
    Reset the failed login count for the specified user (with -u) or for all users if -u is not provided. This action requires root privileges.

-l
    List the tally for all users who have a non-zero failed login count. This provides an overview of accounts with recent failed login attempts.

-f
    Specify an alternative tally log file. By default, pam_tally2 uses /var/log/tallylog.

-h
    Display a short help message and exit.

-V
    Display version information and exit.

The pam_tally2 command is a utility used in conjunction with the pam_tally2.so Pluggable Authentication Module (PAM). It allows system administrators to inspect and manage failed login attempt counters for user accounts. When configured within PAM, pam_tally2.so tracks consecutive failed authentication attempts and can be set to lock an account after a specified number of failures, thus mitigating brute-force attacks. The pam_tally2 command provides the interface to view these tallies, or to reset them for a specific user or all users. This is crucial for unlocking accounts that have been temporarily locked due to excessive failed login attempts, or for auditing security incidents. While the command itself doesn't directly lock accounts, it manages the underlying counter that the PAM module uses to enforce security policies. It typically requires root privileges to operate.

The command pam_tally is largely deprecated in favor of pam_tally2, which offers improved robustness, especially regarding file locking and 64-bit support.
The actual account locking and unlocking based on failed attempts is performed by the pam_tally2.so PAM module, configured in files like /etc/pam.d/system-auth. The pam_tally2 command only interacts with the persistent tally log file.
Resetting tallies (using -r) should be done carefully, as it can temporarily reduce security if an attacker is actively brute-forcing an account. Always ensure you understand the implications.

By default, pam_tally2 reads and writes login attempt data to the file /var/log/tallylog. This file is critical for the pam_tally2.so module to maintain persistent counts across reboots and different login sessions.

The pam_tally2 command doesn't directly enforce login policies. Instead, it serves as a management tool for the data file used by the pam_tally2.so module. The module itself, when configured in PAM service files (e.g., /etc/pam.d/login, /etc/pam.d/sshd), is responsible for incrementing the tally on failed attempts and denying access or locking accounts once a configured threshold is met. The command allows administrators to query the current state or reset the counters.

The original pam_tally command and its corresponding pam_tally.so module were part of earlier PAM distributions. Over time, limitations and potential issues, particularly with file locking and handling of large tallies on 64-bit systems, led to its deprecation.
It was superseded by pam_tally2 and pam_tally2.so, which address these issues by providing a more robust and secure mechanism for tracking failed login attempts. While pam_tally might still exist on some older systems, pam_tally2 is the recommended and more commonly found utility on modern Linux distributions. More recently, pam_faillock.so and the faillock command have emerged as an even more flexible alternative, offering features like time-based resets and explicit administrative unlocks.

pam_tally2.so(8), pam(8), faillock(8), pam_faillock.so(8), login(1), passwd(1)