I saw this yesterday: -
Mar 2 11:19:32 korath sudo: pam_tally2(sudo:auth): user bloggsj (12024) tally 51, deny 5
Mar 2 11:19:32 korath sudo: pam_unix(sudo:auth): auth could not identify password for [bloggsj]
Mar 2 11:19:32 korath sudo: bloggsj : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/var/bloggsj ; USER=root ; COMMAND=/bin/bash
after changing a user's password.
He was trying/failing to run sudo bash even though he was in the right group, and was using the right password ....
Assuming that Pluggable Authentication Module (PAM) was getting in the way, I checked the PAM Tally: -
pam_tally --user=bloggsj
but to no avail.
Then I re-read the message: -
Mar 2 11:19:32 korath sudo: pam_tally2(sudo:auth): user bloggsj (12024) tally 51, deny 5
Yep, the offending module is pam_tally2 !
Once I did the needful: -
pam_tally2 --user=bloggsj --reset
For the record: -
https://xkcd.com/149/
Mar 2 11:19:32 korath sudo: pam_tally2(sudo:auth): user bloggsj (12024) tally 51, deny 5
Mar 2 11:19:32 korath sudo: pam_unix(sudo:auth): auth could not identify password for [bloggsj]
Mar 2 11:19:32 korath sudo: bloggsj : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/var/bloggsj ; USER=root ; COMMAND=/bin/bash
after changing a user's password.
He was trying/failing to run sudo bash even though he was in the right group, and was using the right password ....
Assuming that Pluggable Authentication Module (PAM) was getting in the way, I checked the PAM Tally: -
pam_tally --user=bloggsj
and even reset it: -
pam_tally --user=bloggsj --reset
but to no avail.
Then I re-read the message: -
Mar 2 11:19:32 korath sudo: pam_tally2(sudo:auth): user bloggsj (12024) tally 51, deny 5
Once I did the needful: -
pam_tally2 --user=bloggsj --reset
all was good.
For the record: -
https://xkcd.com/149/