Account Lockout with pam_tally2 in RHEL6

I am using pam_tally2 to lockout accounts after 3 failed logins per policy, however, the connecting user does not receive the error indicating pam_tally2's action. (Via SSH.)

I expect to see on the 4th attempt:

Account locked due to 3 failed logins

No combination of required or requisite or the order in the file seems to help. This is under Red Hat 6, and I am using /etc/pam.d/password-auth. The lockout does work as expected but the user does not receive the error described above. This causes a lot of confusion and frustration as they have no way of knowing why authentication fails when they are sure they are using the correct password.

Implementation follows NSA's Guide to the Secure Conguration of Red Hat Enterprise Linux 5. (pg.45) It's my understanding that that only thing changed in PAM is that /etc/pam.d/sshd now includes /etc/pam.d/password-auth instead of system-auth.

If locking out accounts after a number of incorrect login attempts is required by your security policy, implement use of pam_tally2.so.

To enforce password lockout, add the following to /etc/pam.d/system-auth. First, add to the top of the auth lines:

auth required pam_tally2.so deny=5 onerr=fail unlock_time=900

Second, add to the top of the account lines:

account required pam_tally2.so

EDIT:

I get the error message by resetting pam_tally2 during one of the login attempts.

user@localhost's password: (bad password)
Permission denied, please try again.
user@localhost's password: (bad password)
Permission denied, please try again.

(reset pam_tally2 from another shell)

user@localhost's password: (good password)
Account locked due to ...
Account locked due to ...
Last login: ...
[user@localhost ~]$

Solution 1:

You also need ChallengeResponseAuthentication yes in /etc/ssh/sshd_config.

To display the error, pam needs a conversation function.

This option tells ssh to provide a more complete PAM conversation function, which covers amongst other things providing output and asking for arbitrary input (instead of just being handed over a password by sshd).

Edit: You'll want PasswordAuthentication no to make sure the password input always goes through this PAM conversation.