[arch-dev-public] Pam lockout
Hi guys, https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there? Thanks. greetings tpowa
On Fri, Sep 11, 2020 at 03:55:17PM +0200, Tobias Powalowski via arch-dev-public wrote:
Hi guys, https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there?
I think this is fine.
However, In danger of hijacking a discussion, what about FS#67636? That issue hasn't be handled and the lockout stuff is a non-issue after my opinion.
https://bugs.archlinux.org/task/67636
Em setembro 11, 2020 10:55 Tobias Powalowski via arch-dev-public escreveu:
Hi guys, https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there?
I third you and Levente's opinion. This is a sane upstream default and should be handled by users, if they wish to. We shouldn't deviate from upstream in this case.
Regards, Giancarlo Razzolini
On Fri, 11 Sep 2020 at 17:05, Giancarlo Razzolini via arch-dev-public arch-dev-public@archlinux.org wrote:
I third you and Levente's opinion. This is a sane upstream default and should be handled by users, if they wish to. We shouldn't deviate from upstream in this case.
It's not an upstream default though. It's enabled by /etc/pam.d/system-auth which is part of pambase.
It breaks sudo as well. I don't believe it makes sense to lock the user out after only 3 failed attempts.
I would just remove pam_faillock.so from pambase. :)
Hi, the 3 attempts are default. It is not overridden in the config. It was just a transition to the new module.
greetings tpowa
Am Fr., 11. Sept. 2020 um 16:26 Uhr schrieb Evangelos Foutras via arch-dev-public arch-dev-public@archlinux.org:
On Fri, 11 Sep 2020 at 17:05, Giancarlo Razzolini via arch-dev-public arch-dev-public@archlinux.org wrote:
I third you and Levente's opinion. This is a sane upstream default and
should
be handled by users, if they wish to. We shouldn't deviate from upstream
in this
case.
It's not an upstream default though. It's enabled by /etc/pam.d/system-auth which is part of pambase.
It breaks sudo as well. I don't believe it makes sense to lock the user out after only 3 failed attempts.
I would just remove pam_faillock.so from pambase. :)
On Fri, 11 Sep 2020 at 17:33, Tobias Powalowski via arch-dev-public arch-dev-public@archlinux.org wrote:
Hi, the 3 attempts are default. It is not overridden in the config. It was just a transition to the new module.
tally2 used to be in system-login, whereas faillock is part of system-auth. sudo includes the latter which explains why there were no lockouts with sudo in the past.
I'm not familiar enough with pam to judge if moving faillock to system-login restores the status quo and/or is a good idea. Did tally2 without a deny=x argument even do anything other than logging failed attempts?
On Fri, Sep 11, 2020 at 03:55:17PM +0200, Tobias Powalowski via arch-dev-public wrote:
Hi guys,
Yo,
https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there?
What was the decision you wound up with here? The issue is still open and there should preferably be a decision?
participants (4)
-
Evangelos Foutras
-
Giancarlo Razzolini
-
Morten Linderud
-
Tobias Powalowski