Hello LQ,

As per the RHEL 5.2, help on pam_tally says;

magic_root
If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.

But, its not working as expected...

auth required pam_tally.so onerr=fail per_user deny=3 magic_root
account required pam_tally.so magic_root

The /var/log/faillog doesnt get updated.

Inturn, it works fine if I give no_magic_root or if I remove magic_root.

auth required pam_tally.so onerr=fail per_user deny=3 no_magic_root
account required pam_tally.so no_magic_root

or

auth required pam_tally.so onerr=fail per_user deny=3
account required pam_tally.so

Now, faillog gets updated and also the account gets locked after 3 failed login attempts...

I am afraid, if this would 'lock' -> "root" also.
So I tested to check, if root gets locked after 3 failed login attempts
and indeed I was puzzled to see "root" alone is not "lockedout" after even 15 failed login attempts...

I am confused.. with this...

Is this behaviour ...? Can I trust this... against DOS attacks...

Any help would be much helpful !!!

Thanks & Regards
KoKul