[arch-general] pam_faillock -- can we just remove it from /etc/pam.d/login?
Jan Alexander Steffens
jan.steffens at gmail.com
Sat Sep 12 06:48:10 UTC 2020
On Sat, Sep 12, 2020 at 5:41 AM David C. Rankin
<drankinatty at suddenlinkmail.com> wrote:
> Following the [arch-dev-public] Pam lockout thread,
> Can we just remove the faillock entries from /etc/pam.d/login without
> breaking anything if we don't need it at all (like for home computers, etc..)
> The any 3 attempts in 15 minutes which is the default under faillock.conf:
> # The default is 900 (15 minutes).
> # fail_interval = 900
> means that if I mistype a password on login, then 10 minutes later mess up
> with sudo, and then 14 minutes later have another slip with sudo, I'm locked
> out by faillock. That seems like overkill for home users. It should be limited
> to 3 failed logins at a single prompt, not any 3 in 15 minutes.
> # admin_group = <admin_group_name>
> is another option -- but at this point, I'd rather just remove it from the pam
> stack. Is that doable?
> David C. Rankin, J.D.,P.E.
Succeeding even once should clear the log of failures, thus giving you
another three attempts. This seems reasonable to me. Is this not
working as advertised?
More information about the arch-general