Faillog Corrupt or Normal?

Physicist1616 · 2019-09-14 05:23:22

All the accounts in my faillog look this way and the log is 42880 bytes:

Login       Failures Maximum Latest                   On

root            0        0   12/31/69 14:00:00 -1000  
bin             0        0   12/31/69 14:00:00 -1000  
daemon          0        0   12/31/69 14:00:00 -1000  
mail            0        0   12/31/69 14:00:00 -1000  
[truncated]

Is this normal? I know I've fatfingered a password on my user account (not shown but same time).

I looked at the modification time of the file, and it was 2019-02-09 23:01:50. Looking back at this second in journalctl, I had logged into TTY1 after a fresh boot (really fresh; dhcpcd got me an IP the next second). I didn't `pacman -Syu` until 23:02. The log rotation didn't occur until 23:04.

Is faillog possibly not enabled (if so what service or setting to change)? Why would it be 42k instead of 0 size for no fails? Why would it have been modified without adding to the counter for an account? Searching journalctl for fail reveals no relevant lines.

I did update the day before on the 8th at 01:10; what package install might be likely to cause that file to be modified on the next boot/login?

Do we have a name in this community for nerds like I apparently am for digging into this probably tiny issue?

seth · 2019-09-14 07:13:25

grep -r tally /etc/pam.d/

Will likely show

/etc/pam.d/system-login:auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog

so faillog isn't used by default. Thus run

pam_tally2

However, merely fatfingering a password once is no recorded incident. You've to be rejected by the system for missing the password til hitting the limit - and I don't think there' a default for "deny", feel free to try.

Arch Linux

#1 2019-09-14 05:23:22

Faillog Corrupt or Normal?

#2 2019-09-14 07:13:25

Re: Faillog Corrupt or Normal?

Board footer