pam.d: enable pam_faillock as replacement for pam_tally2 #17
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In the PAM 1.5 update the deprecated pam_tally2 module had to be removed. Since pam_faillock should be used as a replacement and it's included in the image already, set it up by default. The "faillock" command will show the current state and the password login prompt is replaced with a message that the account is locked for X minutes. This only applies to local password login.
|
I just noticed that the |
With tally there was no limit for wrong password login attempts. Yes with faillock the default is restricted to three attempts within 15 minutes which lead to a 10 minute account locking. This can be disturbing for the real user and we can reduce the impact by choosing a shorter lock duration of one minute and allow up to 5 wrong passwords per two minutes (i.e., spread over 15 minutes this means around 35 wrong attempts are possible).
|
I added a commit to relax the behavior. |
|
This still LGTM. I was wondering it was better to set this stuff in the config file instead, but I guess this way it's more obvious. |
pothos
added a commit
to flatcar/coreos-overlay
that referenced
this pull request
Mar 23, 2021
This pulls in flatcar/baselayout#17 to enable the pam_faillock module as replacement for pam_tally2. The "faillock" binary can be used to see the login attempts and account lock status which before was available with the pam_tally command. While the tally defaults did not temporarily lock the account on wrong password login attempts, this is done by default with faillock. However, the default behavior was relaxed to allow more wrong attempts and have a shorter lock time span.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the PAM 1.5 update the deprecated pam_tally2 module had to be
removed. Since pam_faillock should be used as a replacement and it's
included in the image already, set it up by default.
The "faillock" command will show the current state and the password
login prompt is replaced with a message that the account is locked
for X minutes. This only applies to local password login.
With tally there was no limit for wrong password login attempts.
Yes with faillock the default is restricted to three attempts within
15 minutes which lead to a 10 minute account locking. This can be
disturbing for the real user and we can reduce the impact by choosing
a shorter lock duration of one minute and allow up to 5 wrong
passwords per two minutes (i.e., spread over 15 minutes this means
around 35 wrong attempts are possible).
How to use/testing done
Copy the file to
/etc/pam.d/system-authfor testing.Create a test user and set a password:
useradd test; passwd test.Now log in via SSH with a wrong password and get locked for some time.