pam_tally2

pam_tally2 [options]
Common options include:
pam_tally2 [-u user] [-r] [-f file] [-l] [-q] [--global-deny] [--help] [--version]

-u <username>, --user <username>
    Selects the specific user whose tally should be displayed or reset. If omitted, information for all users will be shown.

-r, --reset
    Resets the tally count for the specified user (if -u is used) or for all users (if -u is omitted). Requires root privileges.

-f <filename>, --file <filename>
    Specifies an alternative tally log file to use instead of the default (typically /var/log/tallylog).

-l, --last-failed-attempt-time
    Displays the time of the last failed login attempt for each user in addition to the tally count.

-q, --quiet
    Suppresses output when used with the -r (reset) option, making the operation silent.

--global-deny
    Displays information related to system-wide denied access, if such a policy is configured by the pam_tally2.so module.

--help
    Displays a brief usage message and exits.

--version
    Displays version information for the command and exits.

pam_tally2 is a command-line utility used to inspect and manipulate the login attempt records managed by the pam_tally2.so Pluggable Authentication Module (PAM). This tool is essential for system administrators to manage account lockout policies, which are critical for preventing brute-force attacks against user accounts. It allows viewing the number of failed login attempts for individual users, resetting these counts, or inspecting global lockout statuses. The data is typically stored in a tally log file, commonly located at /var/log/tallylog. By interacting directly with this file, pam_tally2 provides precise control over the accumulated failed login attempts, enabling administrators to unblock legitimate users who might have been locked out due to forgotten passwords or to review the status of accounts under potential attack. Its primary function is to provide a real-time view and control over the PAM-managed authentication failure statistics.

Using pam_tally2 to reset tallies requires root privileges, as it modifies sensitive system files. Misuse can compromise account security by unblocking accounts that should remain locked out due to malicious activity. The effectiveness of pam_tally2 relies entirely on the proper configuration and usage of the pam_tally2.so PAM module within the system's authentication stack. If the module is not active or configured incorrectly, pam_tally2 may show no data or interact with an irrelevant file. The default tally log file path (/var/log/tallylog) can be overridden by PAM module configuration or the -f option, so always ensure you are inspecting the correct file.

The default tally log file managed by pam_tally2 and its corresponding PAM module is usually located at /var/log/tallylog. This binary file stores the failed login attempt counts and the timestamp of the last attempt for each user.

pam_tally2 works in conjunction with the pam_tally2.so PAM module. The module is responsible for incrementing the failed login counts and enforcing lockout policies based on configured thresholds. The pam_tally2 command-line tool provides an interface for administrators to view and reset these counts manually.

While pam_tally2 is a vital tool for security, especially in managing account lockouts, it must be used with caution. Resetting tallies for a user can immediately unblock an account, which could be risky if the lockout was due to an ongoing brute-force attack. Always verify the reason for lockout before resetting.

pam_tally2 is the successor to the earlier pam_tally utility and module, designed to address some of its limitations, particularly in handling user IDs (UIDs) and potentially improving performance and reliability. It was developed as part of the broader PAM (Pluggable Authentication Modules) framework, which provides a flexible way to manage authentication services on Linux and other Unix-like systems. The evolution to pam_tally2 focused on robustly supporting modern system environments and security requirements, aiming to provide a more scalable and reliable mechanism for tracking and managing failed login attempts, thereby enhancing system security against brute-force attacks.

pam_tally2.so(8), pam(8), faillog(8), lastb(1)