Re: [arch-dev-public] Pam lockout
On Fri, Sep 11, 2020 at 03:55:17PM +0200, Tobias Powalowski via arch-dev-public wrote: > Hi guys, Yo, > https://bugs.archlinux.org/task/67644 > I second Levente's post of it's a configuration issue that needs to be > addressed by user and not by the package itself. Typing 3 times wrong > password is a sane default imho. > Any other opinions out there? What was the decision you wound up with here? The issue is still open and there should preferably be a decision? -- Morten Linderud PGP: 9C02FF419FECBE16 signature.asc Description: PGP signature
Re: [arch-dev-public] Pam lockout
On Fri, 11 Sep 2020 at 17:33, Tobias Powalowski via arch-dev-public wrote: > > Hi, > the 3 attempts are default. It is not overridden in the config. It was just > a transition to the new module. tally2 used to be in system-login, whereas faillock is part of system-auth. sudo includes the latter which explains why there were no lockouts with sudo in the past. I'm not familiar enough with pam to judge if moving faillock to system-login restores the status quo and/or is a good idea. Did tally2 without a deny=x argument even do anything other than logging failed attempts?
Re: [arch-dev-public] Pam lockout
Hi, the 3 attempts are default. It is not overridden in the config. It was just a transition to the new module. greetings tpowa Am Fr., 11. Sept. 2020 um 16:26 Uhr schrieb Evangelos Foutras via arch-dev-public : > On Fri, 11 Sep 2020 at 17:05, Giancarlo Razzolini via arch-dev-public > wrote: > > I third you and Levente's opinion. This is a sane upstream default and > should > > be handled by users, if they wish to. We shouldn't deviate from upstream > in this > > case. > > It's not an upstream default though. It's enabled by > /etc/pam.d/system-auth which is part of pambase. > > It breaks sudo as well. I don't believe it makes sense to lock the > user out after only 3 failed attempts. > > I would just remove pam_faillock.so from pambase. :) > -- Tobias Powalowski Archlinux Developer & Package Maintainer (tpowa) http://www.archlinux.org tp...@archlinux.org
Re: [arch-dev-public] Pam lockout
On Fri, 11 Sep 2020 at 17:05, Giancarlo Razzolini via arch-dev-public wrote: > I third you and Levente's opinion. This is a sane upstream default and should > be handled by users, if they wish to. We shouldn't deviate from upstream in > this > case. It's not an upstream default though. It's enabled by /etc/pam.d/system-auth which is part of pambase. It breaks sudo as well. I don't believe it makes sense to lock the user out after only 3 failed attempts. I would just remove pam_faillock.so from pambase. :)
Re: [arch-dev-public] Pam lockout
Em setembro 11, 2020 10:55 Tobias Powalowski via arch-dev-public escreveu: Hi guys, https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there? I third you and Levente's opinion. This is a sane upstream default and should be handled by users, if they wish to. We shouldn't deviate from upstream in this case. Regards, Giancarlo Razzolini pgpoyj_nHbPOe.pgp Description: PGP signature
Re: [arch-dev-public] Pam lockout
On Fri, Sep 11, 2020 at 03:55:17PM +0200, Tobias Powalowski via arch-dev-public wrote: > Hi guys, > https://bugs.archlinux.org/task/67644 > I second Levente's post of it's a configuration issue that needs to be > addressed by user and not by the package itself. Typing 3 times wrong > password is a sane default imho. > Any other opinions out there? I think this is fine. However, In danger of hijacking a discussion, what about FS#67636? That issue hasn't be handled and the lockout stuff is a non-issue after my opinion. https://bugs.archlinux.org/task/67636 -- Morten Linderud PGP: 9C02FF419FECBE16 signature.asc Description: PGP signature
[arch-dev-public] Pam lockout
Hi guys, https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there? Thanks. greetings tpowa -- Tobias Powalowski Archlinux Developer & Package Maintainer (tpowa) http://www.archlinux.org tp...@archlinux.org
