Jump to content
Read the Funtoo Newsletter: Summer 2023 ×

PAM: faillock integration

Recommended Posts

pam-1.3.0-r3 ebuild introducing the faillock capability from Red Hat. This will allow locking of user account after a consequent login failure attempts. After a number of attempts (can be configured) the account will be locked for a certain time (can be configured). 

Testing can be performed by following. Set the keywords for sys-libs/pam ebuild and install new version.

echo "=sys-libs/pam-1.3.0-r3 **" >> /etc/portage/package.accept_keywords
emerge -1u pam

After installation, edit /etc/pam.d/system-auth with editor and put the lines pointed

auth            required        pam_env.so
auth            required        pam_faillock.so preauth audit deny=3 unlock_time=60
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            required       pam_faillock.so authfail audit deny=3 fail_interval=60 unlock_time=60
auth            optional       pam_permit.so
account     required       pam_faillock.so
account         required    pam_unix.so
account         optional    pam_permit.so
password        required   pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3  
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow  
password        optional        pam_permit.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so


Notice the lines in bold red. This is very important that first line in auth part is before pam_unix module. The second line must be after pam_unix module. In account part, pam_faillock module needed before pam_unix module. In example, 3 attempts are set for the locking. After that, account will be locked and in console you will see a message that account is locked for 60 seconds, in example. After that period of time, the account will be released. To review the state , you can use faillock utility installed by pam. For more advanced options, follow faillock and pam_faillock manual pages. If some mistakes possibly made with configuration, please, have a live cd to boot from to alter the changes in /etc/pam.d/system-auth. It is wise decision to have a copy of it somewhere before the tests.

Link to comment
Share on other sites

  • Create New...