You are not logged in.

#1 2020-08-19 21:41:46

Maniaxx
Member
Registered: 2014-05-14
Posts: 757

[Solved] How to configure 3 bad login attempts 10min lockout?

Hallo,
when i switch to tty2 and enter my credentials 3 times wrong it results in a 10 minutes lockout. When i switch back to tty1 (that is logged in into xfce already) and try to 'sudo <something>' it doesn't work until the lockout time is over.

How can i configure this? I want more possible attempts and less lockout time. I've already looked up /etc/pam.d but couldn't find anything that matches this. I'm not using any tally module either as far as i know. I login with startx.

The actual issue i had was a bad xscreensaver behavior where it didn't show anything on the lockscreen so i hammered the keyboard. Then suddenly it came back showing me i'm locked out for 10 minutes. I switched to tty2 as root and killed xscreensaver and everything looked fine until i noticed that sudo was still blocked.

/etc/pam.d/system-login:

#%PAM-1.0

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so           user_readenv=1

/etc/pam.d/system-auth:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Last edited by Maniaxx (2020-08-19 22:33:11)


sys2064

Offline

#2 2020-08-19 21:57:22

demaio
Member
From: Germany
Registered: 2012-09-02
Posts: 101
Website

Re: [Solved] How to configure 3 bad login attempts 10min lockout?

There is a PAM module called pam_faillock in /etc/pam.d/system-auth. The manpage should have all the information you need to configure it.

Offline

#3 2020-08-19 22:31:09

Maniaxx
Member
Registered: 2014-05-14
Posts: 757

Re: [Solved] How to configure 3 bad login attempts 10min lockout?

Thanks. It's /etc/security/faillock.conf.


sys2064

Offline

#4 2020-08-22 19:39:17

felixfontein
Member
Registered: 2020-08-22
Posts: 1

Re: [Solved] How to configure 3 bad login attempts 10min lockout?

@Maniaxx did you happen to find out what is causing the problems with xscreensaver? I'm currently having the same problems since a couple of days. It cannot be the xscreensaver package itself, since that hasn't changed since end of March. Since I'm using xfce4, I've now switched to xfce4-screensaver, which doesn't seem to have this problem.

Offline

#5 2020-08-23 22:14:32

Maniaxx
Member
Registered: 2014-05-14
Posts: 757

Re: [Solved] How to configure 3 bad login attempts 10min lockout?

It just happened once so far. Currently its working properly.


sys2064

Offline

#6 2020-08-31 11:27:00

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,643
Website

Re: [Solved] How to configure 3 bad login attempts 10min lockout?

@Maniaxx - What did you change to cause it to work fine?  You marked the thread as solved.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#7 2020-08-31 13:04:23

Maniaxx
Member
Registered: 2014-05-14
Posts: 757

Re: [Solved] How to configure 3 bad login attempts 10min lockout?

The values can be changed in the config file i mentioned earlier. I don't have the file in front of me right now but the options should be obvious.

I just want to prevent the lockout by increasing the possible attempts not the sudo behavior when you're locked out.

Last edited by Maniaxx (2020-08-31 13:08:18)


sys2064

Offline

Board footer

Powered by FluxBB