You are not logged in.

#1 2019-09-14 05:23:22

Physicist1616
Member
Registered: 2015-02-16
Posts: 32

Faillog Corrupt or Normal?

All the accounts in my faillog look this way and the log is 42880 bytes:

Login       Failures Maximum Latest                   On

root            0        0   12/31/69 14:00:00 -1000  
bin             0        0   12/31/69 14:00:00 -1000  
daemon          0        0   12/31/69 14:00:00 -1000  
mail            0        0   12/31/69 14:00:00 -1000  
[truncated]

Is this normal?  I know I've fatfingered a password on my user account (not shown but same time).

I looked at the modification time of the file, and it was 2019-02-09 23:01:50.  Looking back at this second in journalctl, I had logged into TTY1 after a fresh boot (really fresh; dhcpcd got me an IP the next second).  I didn't `pacman -Syu` until 23:02.  The log rotation didn't occur until 23:04.

Is faillog possibly not enabled (if so what service or setting to change)?  Why would it be 42k instead of 0 size for no fails?  Why would it have been modified without adding to the counter for an account?  Searching journalctl for fail reveals no relevant lines. 

I did update the day before on the 8th at 01:10; what package install might be likely to cause that file to be modified on the next boot/login?

Do we have a name in this community for nerds like I apparently am for digging into this probably tiny issue?

Offline

#2 2019-09-14 07:13:25

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Faillog Corrupt or Normal?

grep -r tally /etc/pam.d/

Will likely show

/etc/pam.d/system-login:auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog

so faillog isn't used by default. Thus run

pam_tally2

However, merely fatfingering a password once is no recorded incident. You've to be rejected by the system for missing the password til hitting the limit - and I don't think there' a default for "deny", feel free to try.

Offline

Board footer

Powered by FluxBB