I'm using OpenVPN in combination with PAM for user auth via username/password. I have created a customised PAM file as follows:
auth required pam_unix.so shadow nodelay
auth requisite pam_succeed_if.so user ingroup vpn
auth required pam_tally2.so deny=5 lock_time=5 unlock_time=1800 even_deny_root
account required pam_unix.so
The PAM module correctly identifies users and authenticates them, allowing only VPN users to connect to the virtual network. The issue is that even though the users manage to successfully connect to the VPN, the tally counter keeps going up instead of resetting to 0 (found out with the help of the pam_tally2 command).
The auth.log doesn't log anything suspicious:
pam_succeed_if(openvpn:auth): requirement "user ingroup vpn" was met by user "test_user"
pam_succeed_if(openvpn:auth): requirement "user ingroup vpn" was met by user "test_user"
pam_succeed_if(openvpn:auth): requirement "user ingroup vpn" was met by user "test_user"
pam_succeed_if(openvpn:auth): requirement "user ingroup vpn" was met by user "test_user"
Working on Debian GNU/Linux 7 (wheezy).
Did I miss something? Is there a way to force resetting the tally counter?
It seems I was required to add the following line:
account required pam_tally2.so
Just a side note: negative votes without explanations are the worst. It was obvious that I've written my configuration wrong, no need to downvote me for this unless someone would have been kind enough to point out my mistake.