- drop pam_tally from system-auth

The default behavior was to not do anything (deny=0 - don't lock
account) and replacing with pam_faillog is non trivial to do
automatically.

diff --git a/pam.spec b/pam.spec
index af061de5e787c5c280d0324f89fff011113b9efd..8daeb423691277112bf013a589dba1a8e2c39295 100644 (file)
--- a/pam.spec
+++ b/pam.spec
@@ -1,6 +1,5 @@
 # TODO
 # - fix pdf gen or disable it: No fo2pdf processor installed, skip PDF generation
-# - pam_tally, pam_tally2 are deprecated in favor of pam_faillock
 # NOTE: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}-docs.tar.xz
 #   is not needed here: it contains documentation in target formats (HTML, PDF) built from sources included in main tarball
 #

diff --git a/system-auth.pamd b/system-auth.pamd
index bdf95ab473f57ba862be502a7288a86a2fae4b30..82d84b0d65bd7042c55056608780225922348e2b 100644 (file)
--- a/system-auth.pamd
+++ b/system-auth.pamd
@@ -1,10 +1,8 @@
 #%PAM-1.0
 auth           required        pam_listfile.so item=user sense=deny file=/etc/security/blacklist onerr=succeed
 auth           required        pam_env.so
-auth           required        pam_tally.so deny=0 file=/var/log/faillog onerr=succeed
 auth           required        pam_unix.so try_first_pass
 
-account                required        pam_tally.so file=/var/log/faillog onerr=succeed
 account                required        pam_time.so
 account                required        pam_unix.so