chkusr binary does not reset PAM tally counter after a successful login.

Document ID : KB000046934
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem

Customer user pam_tally2 module to lock the user with more than 5 unsuccessful login attempts. Even though the users authenticates okay by chkusr, the PAM tally counter keeps going up instead of resetting to 0. Eventually the account is locked.

cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3

#./chkusr autosys 5FD96C36FDE3A6547A08 sshd
User and Password okay

#pam_tally2 --user autosys
Login Failures Latest failure From
autosys 2 07/20/16 11:34:43 unknown

Environment:

CA Workload Automation Agent for LINUX (Intel) 32-bit Version R11.3, Build 245 

SUSE Linux Enterprise Server 11 SP4

 

Cause:

Authentication phase first increments attempted login counter and checks if user should be denied access. If the user is authenticated and the login process should call 'pam_setcred' to resets the attempts counter.

The 'chkusr' utility does not call 'pam_setcred' to reset the counter. So the count keeps increasing.

 

Resolution:

The problem has been fixed with CA Workload Automation Agent 11.3 SP6 Build 946

 

Additional Information: 

https://docops.ca.com/ca-wla-agents/1134/en/release-information/ca-wa-agent-for-unix-linux-windows-i5-os-or-hp-integrity-nonstop/11-3-06#id-11.3.06-SYSAGT-264AuthenticationThroughCHKUSRFailsIntermittently