Re: [arch-general] pam_faillock -- can we just remove it from /etc/pam.d/login?
On 9/12/20 5:41 AM, David C. Rankin wrote: > Following the [arch-dev-public] Pam lockout thread, > > Can we just remove the faillock entries from /etc/pam.d/login without > breaking anything if we don't need it at all (like for home computers, etc..) > (…) Not elegant, but moves faillock out of the way: deny = 999 unlock_time = 1 Of course removing faillock completely would be nicer. signature.asc Description: OpenPGP digital signature
Re: [arch-general] pam_faillock -- can we just remove it from /etc/pam.d/login?
On 9/12/20 1:48 AM, Jan Alexander Steffens wrote: > Succeeding even once should clear the log of failures, thus giving you > another three attempts. This seems reasonable to me. Is this not > working as advertised? I didn't lock the box to check. I was going though faillock.conf to determine if it would allow some setting that would do just that. (the notes didn't indicate a clearing on success). If it works that way, then it would be fine. I have had times when I am using sudo heavily (several times a minute) and if the fails were cumulative over the default period that would be a problem. I'll check that this works on a local box, I didn't want to risk a test on a remote box. -- David C. Rankin, J.D.,P.E.
Re: [arch-general] pam_faillock -- can we just remove it from /etc/pam.d/login?
On Sat, Sep 12, 2020 at 5:41 AM David C. Rankin wrote: > > Following the [arch-dev-public] Pam lockout thread, > > Can we just remove the faillock entries from /etc/pam.d/login without > breaking anything if we don't need it at all (like for home computers, etc..) > > The any 3 attempts in 15 minutes which is the default under faillock.conf: > > # The default is 900 (15 minutes). > # fail_interval = 900 > > means that if I mistype a password on login, then 10 minutes later mess up > with sudo, and then 14 minutes later have another slip with sudo, I'm locked > out by faillock. That seems like overkill for home users. It should be limited > to 3 failed logins at a single prompt, not any 3 in 15 minutes. > > # admin_group = > > is another option -- but at this point, I'd rather just remove it from the pam > stack. Is that doable? > > -- > David C. Rankin, J.D.,P.E. Succeeding even once should clear the log of failures, thus giving you another three attempts. This seems reasonable to me. Is this not working as advertised?
[arch-general] pam_faillock -- can we just remove it from /etc/pam.d/login?
Following the [arch-dev-public] Pam lockout thread, Can we just remove the faillock entries from /etc/pam.d/login without breaking anything if we don't need it at all (like for home computers, etc..) The any 3 attempts in 15 minutes which is the default under faillock.conf: # The default is 900 (15 minutes). # fail_interval = 900 means that if I mistype a password on login, then 10 minutes later mess up with sudo, and then 14 minutes later have another slip with sudo, I'm locked out by faillock. That seems like overkill for home users. It should be limited to 3 failed logins at a single prompt, not any 3 in 15 minutes. # admin_group = is another option -- but at this point, I'd rather just remove it from the pam stack. Is that doable? -- David C. Rankin, J.D.,P.E.