[arch-dev-public] Pam lockout

older
[arch-dev-public] Orion retirement

Tobias Powalowski

11 Sep 2020 11 Sep '20

1:55 p.m.

Hi guys, https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there? Thanks. greetings tpowa -- Tobias Powalowski Archlinux Developer & Package Maintainer (tpowa) http://www.archlinux.org tpowa@archlinux.org

Show replies by date

Morten Linderud

11 Sep 11 Sep

2:01 p.m.

On Fri, Sep 11, 2020 at 03:55:17PM +0200, Tobias Powalowski via arch-dev-public wrote:

...

Hi guys, https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there?

I think this is fine. However, In danger of hijacking a discussion, what about FS#67636? That issue hasn't be handled and the lockout stuff is a non-issue after my opinion. https://bugs.archlinux.org/task/67636 -- Morten Linderud PGP: 9C02FF419FECBE16

Giancarlo Razzolini

2:04 p.m.

Em setembro 11, 2020 10:55 Tobias Powalowski via arch-dev-public escreveu:

...

Hi guys, https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there?

I third you and Levente's opinion. This is a sane upstream default and should be handled by users, if they wish to. We shouldn't deviate from upstream in this case. Regards, Giancarlo Razzolini

Evangelos Foutras

2:25 p.m.

On Fri, 11 Sep 2020 at 17:05, Giancarlo Razzolini via arch-dev-public wrote:

...

I third you and Levente's opinion. This is a sane upstream default and should be handled by users, if they wish to. We shouldn't deviate from upstream in this case.

It's not an upstream default though. It's enabled by /etc/pam.d/system-auth which is part of pambase. It breaks sudo as well. I don't believe it makes sense to lock the user out after only 3 failed attempts. I would just remove pam_faillock.so from pambase. :)

Tobias Powalowski

2:32 p.m.

Hi, the 3 attempts are default. It is not overridden in the config. It was just a transition to the new module. greetings tpowa Am Fr., 11. Sept. 2020 um 16:26 Uhr schrieb Evangelos Foutras via arch-dev-public :

...

On Fri, 11 Sep 2020 at 17:05, Giancarlo Razzolini via arch-dev-public wrote:

...
I third you and Levente's opinion. This is a sane upstream default and should be handled by users, if they wish to. We shouldn't deviate from upstream in this case.

It's not an upstream default though. It's enabled by /etc/pam.d/system-auth which is part of pambase.

It breaks sudo as well. I don't believe it makes sense to lock the user out after only 3 failed attempts.

I would just remove pam_faillock.so from pambase. :)

-- Tobias Powalowski Archlinux Developer & Package Maintainer (tpowa) http://www.archlinux.org tpowa@archlinux.org

Evangelos Foutras

2:52 p.m.

On Fri, 11 Sep 2020 at 17:33, Tobias Powalowski via arch-dev-public wrote:

...

Hi, the 3 attempts are default. It is not overridden in the config. It was just a transition to the new module.

tally2 used to be in system-login, whereas faillock is part of system-auth. sudo includes the latter which explains why there were no lockouts with sudo in the past. I'm not familiar enough with pam to judge if moving faillock to system-login restores the status quo and/or is a good idea. Did tally2 without a deny=x argument even do anything other than logging failed attempts?

Morten Linderud

6 Nov 6 Nov

5:46 p.m.

On Fri, Sep 11, 2020 at 03:55:17PM +0200, Tobias Powalowski via arch-dev-public wrote:

...

Hi guys, Yo,

...

https://bugs.archlinux.org/task/67644 I second Levente's post of it's a configuration issue that needs to be addressed by user and not by the package itself. Typing 3 times wrong password is a sane default imho. Any other opinions out there?

What was the decision you wound up with here? The issue is still open and there should preferably be a decision? -- Morten Linderud PGP: 9C02FF419FECBE16

1266

Age (days ago)

1322

Last active (days ago)

List overview

Download

6 comments

4 participants

participants (4)

Evangelos Foutras
Giancarlo Razzolini
Morten Linderud
Tobias Powalowski