Improve handling of the tally module.

The pam_tally module, only provided by Linux-PAM for us, is replaced in
newer instances with the pam_tally2 module which is wordsize-independent.

For this reason, make the configuration choose the best tally module
between the two depending on the version of the Linux-PAM package.

Also drop the DEBUG indication: the module does not support the debug
option.

2 files changed, 10 insertions, 5 deletions

diff --git a/linux-pam-conf b/linux-pam-conf
index ee34768..b5db3c3 100644
--- a/linux-pam-conf
+++ b/linux-pam-conf
@@ -1,6 +1,5 @@
 #define HAVE_LIMITS			1
 #define HAVE_ENV			1
-#define HAVE_TALLY			1
 #define HAVE_ACCESS			1
 #define HAVE_SHELLS			1
 #define HAVE_MOTD			1
@@ -15,5 +14,11 @@
 # define UNIX_EXTENDED_ENCRYPTION	md5 shadow
 #endif
 
+#if LINUX_PAM_VERSION > 0x010100 /* 1.1.0 */
+# define TALLY_MODULE pam_tally2.so
+#else
+# define TALLY_MODULE pam_tally.so
+#endif
+
 #define LIKEAUTH likeauth
 #define DEBUG_NOLOGIN
diff --git a/system-login.in b/system-login.in
index d13d0d9..0bf2ce3 100644
--- a/system-login.in
+++ b/system-login.in
@@ -1,5 +1,5 @@
-#if HAVE_TALLY
-auth		required	pam_tally.so file=/var/log/faillog onerr=succeed DEBUG
+#if defined(TALLY_MODULE)
+auth		required	TALLY_MODULE file=/var/log/faillog onerr=succeed
 #endif
 #if HAVE_SHELLS
 auth		required	pam_shells.so DEBUG
@@ -22,8 +22,8 @@ account		required	pam_login_access.so
 account		required	pam_nologin.so DEBUG_NOLOGIN
 #endif
 account		include		system-auth
-#if HAVE_TALLY
-account		required	pam_tally.so file=/var/log/faillog onerr=succeed DEBUG
+#if defined(TALLY_MODULE)
+account		required	TALLY_MODULE file=/var/log/faillog onerr=succeed DEBUG
 #endif
  
 password	include		system-auth