pam_tally

`pam_tally` [`options`]

-u
    Specify the username to query or modify. If omitted, all users are affected (for querying).

-r
    Reset the tally counter to 0 for the specified user (or all users if -u is omitted).

-f
    Specify an alternate tally log file. The default is usually `/var/log/tallylog`.

-v
    Verbose mode. Show more detailed output.

-c
    Display current tally count. This is the default action when no other action is specified.

-h
    Show and/or modify only the counter of the user that comes from the specified hostname

The `pam_tally` and `pam_tally2` modules are used to track and potentially lock user accounts after a certain number of failed login attempts. This enhances system security by mitigating brute-force password attacks. They work in conjunction with PAM (Pluggable Authentication Modules) to record failed login attempts in a system log file, usually `/var/log/tallylog` (or a database file in case of pam_tally2). Upon reaching a configured threshold of failed attempts, the module can lock the account, preventing further logins until it is manually unlocked by an administrator or a specified time has elapsed. The `pam_tally` command is typically used from the command line to query or reset the failure counters. `pam_tally2` is an improved version and provides similar functionality and sometimes replaces the original in modern systems. The command's behaviour is controlled by various options that define the logging mechanism, the account locking policy, and the interaction with the system administrator.

The location of the tally log file and the configuration within PAM determine the exact behavior. Incorrectly configuring PAM can lock out legitimate users. Requires root privileges to reset counters.

The `pam_tally` module must be configured within the PAM configuration files (usually under `/etc/pam.d/`) to be effective. The configuration specifies when the module should be invoked (e.g., `auth required pam_tally.so onerr=succeed` to count failures even if authentication ultimately succeeds).

Locked accounts can be unlocked using `pam_tally -r -u ` or through other administrative tools that can manipulate the tally log. Some configurations may also unlock accounts automatically after a specific time period defined in the PAM configuration.

The `pam_tally` module was developed as a way to address brute-force password attacks. It provided a simple method for counting failed login attempts and locking accounts. `pam_tally2` was later introduced to address limitations in the original `pam_tally`, such as issues with concurrent access to the tally log file and improved performance. `pam_tally2` often is used to store user login attempts in a database.

pam.conf(5), login(1), faillog(8), passwd(1)