chkusr binary does not reset PAM tally counter after a successful login.

Document ID : KB000046934
Last Modified Date : 14/02/2018
Show Technical Document Details


Customer user pam_tally2 module to lock the user with more than 5 unsuccessful login attempts. Even though the users authenticates okay by chkusr, the PAM tally counter keeps going up instead of resetting to 0. Eventually the account is locked.

cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)

#./chkusr autosys 5FD96C36FDE3A6547A08 sshd
User and Password okay

#pam_tally2 --user autosys
Login Failures Latest failure From
autosys 2 07/20/16 11:34:43 unknown


CA Workload Automation Agent for LINUX (Intel) 32-bit Version R11.3, Build 245 

SUSE Linux Enterprise Server 11 SP4



Authentication phase first increments attempted login counter and checks if user should be denied access. If the user is authenticated and the login process should call 'pam_setcred' to resets the attempts counter.

The 'chkusr' utility does not call 'pam_setcred' to reset the counter. So the count keeps increasing.



The problem has been fixed with CA Workload Automation Agent 11.3 SP6 Build 946


Additional Information: