LinuxCommandLibrary

pam_tally2

Manage login failure counts and lockout

SYNOPSIS

pam_tally2 [--help] [--user username|--all] [-f|--file /path/to/counter] [-r|--reset|-u|--unlock user] [--delete]

PARAMETERS

--help or -h
    Display short usage message and exit

--user username
    Specify username to inspect (default: current user)

--all
    Display failed login counters for all users

-f or --file /path/to/counter
    Use alternative tallylog file instead of default

-r or --reset
    Reset (zero) failed login counters for all users

-u or --unlock user
    Unlock specific user's account by resetting counter

--delete
    Delete specified user's tally record from file

DESCRIPTION

pam_tally2 is a command-line tool for inspecting, resetting, and unlocking user accounts based on failed login attempts tracked by the pam_tally2.so PAM module. It maintains a database (typically /var/log/tallylog) recording consecutive authentication failures per user, enabling account lockouts after a configurable threshold to enhance security against brute-force attacks.

Without arguments, it displays the current user's failure count. Administrators use it to manually intervene, such as resetting tallies for legitimate lockouts or viewing system-wide stats. Integrated into PAM stacks via auth and account modules in files like /etc/pam.d/sshd or /etc/pam.d/common-auth, it supports options like denying access until a unlock time expires or manual reset.

This utility promotes secure login policies but requires root privileges for modifications. It's widely used in enterprise Linux environments for compliance with standards like CIS benchmarks, though it's being phased out in favor of more robust successors.

CAVEATS

Requires root privileges for reset/unlock operations. Deprecated in modern distros (e.g., RHEL 8+); use pam_faillock instead. Tally file can grow large with many users; ensure proper permissions on /var/log/tallylog.

EXAMPLES

pam_tally2 --user john
View John's failure count.

pam_tally2 --all
List all users' tallies.

pam_tally2 -r -u john
Unlock john specifically.

HISTORY

Developed as an enhanced replacement for pam_tally around 2005-2010 in Linux-PAM project. Introduced per-user unlock and delete features. Peaked in usage with PAM 1.1.x; largely replaced by pam_faillock since 2016 for better concurrency and IPv6 support.

SEE ALSO

faillock(1), pam_faillock(8), pam_tally(8)

Copied to clipboard