Re: [arch-general] pam_faillock -- can we just remove it from /etc/pam.d/login?

[mpan]

On 9/12/20 5:41 AM, David C. Rankin wrote:
> Following the [arch-dev-public] Pam lockout thread,
> 
>   Can we just remove the faillock entries from /etc/pam.d/login without
> breaking anything if we don't need it at all (like for home computers, etc..)
> (…)
Not elegant, but moves faillock out of the way:

  deny = 999
  unlock_time = 1

Of course removing faillock completely would be nicer.



signature.asc
Description: OpenPGP digital signature

Re: [arch-general] pam_faillock -- can we just remove it from /etc/pam.d/login?

[David C. Rankin]

On 9/12/20 1:48 AM, Jan Alexander Steffens wrote:
> Succeeding even once should clear the log of failures, thus giving you
> another three attempts. This seems reasonable to me. Is this not
> working as advertised?

I didn't lock the box to check. I was going though faillock.conf to determine
if it would allow some setting that would do just that. (the notes didn't
indicate a clearing on success). If it works that way, then it would be fine.

I have had times when I am using sudo heavily (several times a minute) and if
the fails were cumulative over the default period that would be a problem.

I'll check that this works on a local box, I didn't want to risk a test on a
remote box.

-- 
David C. Rankin, J.D.,P.E.