pam_tally doesn't work when a password change is required
 

When I add pam_tally to the stack in the system-auth file, users who are required to change their passwords immediatly are never given the chance.

My pam application expects to get a PAM_SUCCESS status returned from a pam_authenticate() call even if the user is required to change his password. It then calls pam_acct_mgmt() to check if the password is expired. This works as expected without pam_tally but fails with it because I get a PAM_AUTH_ERR from the pam_authenticate() call.

A user that needs to update his password trying to login via telnet shows the same symptoms as my application. The system displays the "You are required to change your password ..." message and then exits without giving you a chance to do it.

Has anyone else notice this or found a fix/workaround?

Jim Young
Fedora user

My /etc/pam.d/system-auth file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_tally.so per_user deny=3 reset no_magic_root
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so