Oleg Vinichenko Posted August 20, 2018 Report Share Posted August 20, 2018 pam-1.3.0-r3 ebuild introducing the faillock capability from Red Hat. This will allow locking of user account after a consequent login failure attempts. After a number of attempts (can be configured) the account will be locked for a certain time (can be configured). Testing can be performed by following. Set the keywords for sys-libs/pam ebuild and install new version. echo "=sys-libs/pam-1.3.0-r3 **" >> /etc/portage/package.accept_keywords emerge -1u pam After installation, edit /etc/pam.d/system-auth with editor and put the lines pointed auth required pam_env.so auth required pam_faillock.so preauth audit deny=3 unlock_time=60 auth required pam_unix.so try_first_pass likeauth nullok auth required pam_faillock.so authfail audit deny=3 fail_interval=60 unlock_time=60 auth optional pam_permit.so account required pam_faillock.so account required pam_unix.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so Notice the lines in bold red. This is very important that first line in auth part is before pam_unix module. The second line must be after pam_unix module. In account part, pam_faillock module needed before pam_unix module. In example, 3 attempts are set for the locking. After that, account will be locked and in console you will see a message that account is locked for 60 seconds, in example. After that period of time, the account will be released. To review the state , you can use faillock utility installed by pam. For more advanced options, follow faillock and pam_faillock manual pages. If some mistakes possibly made with configuration, please, have a live cd to boot from to alter the changes in /etc/pam.d/system-auth. It is wise decision to have a copy of it somewhere before the tests. Link to comment Share on other sites More sharing options...
Funtoo Linux BDFL drobbins Posted August 23, 2018 Funtoo Linux BDFL Report Share Posted August 23, 2018 I think a "faillock" USE variable should be introduced to install the updated /etc/pam.d/system-auth and enable faillock. Right now this is too difficult and error-prone to use. Link to comment Share on other sites More sharing options...
Oleg Vinichenko Posted August 23, 2018 Author Report Share Posted August 23, 2018 this makes perfect sense. I will prepare a default configuration for faillock that is working for most. Link to comment Share on other sites More sharing options...
Recommended Posts