commit: 3a158ca2ba9220bc82ac2d76f3dd6aff50511ab1 Author: Mikle Kolyada <zlogene <AT> gentoo <DOT> org> AuthorDate: Tue Jun 16 16:25:38 2020 +0000 Commit: Mikle Kolyada <zlogene <AT> gentoo <DOT> org> CommitDate: Tue Jun 16 16:25:38 2020 +0000 URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3a158ca2
iprove faillock support Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org> system-auth.in | 11 +++++++++++ system-login.in | 8 ++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/system-auth.in b/system-auth.in index dbb6971..6067ea1 100644 --- a/system-auth.in +++ b/system-auth.in @@ -1,6 +1,13 @@ #if HAVE_ENV auth required pam_env.so DEBUG #endif + +#if HAVE_FAILOCK +auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 +auth sufficient pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +#endif + #if HAVE_PAM_SSH auth sufficient pam_ssh.so #endif @@ -18,6 +25,10 @@ account required pam_unix.so DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ account optional pam_permit.so +#if HAVE_FAILLOCK +account required pam_faillock.so +#endif + #if HAVE_PASSWDQC password required pam_passwdqc.so min=8,8,8,8,8 retry=3 #endif diff --git a/system-login.in b/system-login.in index d93d926..9e82d60 100644 --- a/system-login.in +++ b/system-login.in @@ -1,6 +1,9 @@ #if HAVE_FAILLOCK -auth required pam_faillock.so dir=/var/log deny=3 +auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 +auth sufficient pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 #endif + #if HAVE_SHELLS auth required pam_shells.so DEBUG #endif @@ -19,8 +22,9 @@ account required pam_login_access.so account required pam_nologin.so DEBUG_NOLOGIN #endif account include system-auth + #if HAVE_FAILLOCK -account required pam_faillock.so dir=/var/log deny=3 +account required pam_faillock.so #endif password include system-auth
