summaryrefslogtreecommitdiffstats
path: root/modules/pam_faillock/faillock.conf
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/pam_faillock/faillock.conf62
-rw-r--r--modules/pam_faillock/faillock.conf.5171
-rw-r--r--modules/pam_faillock/faillock.conf.5.xml253
3 files changed, 486 insertions, 0 deletions
diff --git a/modules/pam_faillock/faillock.conf b/modules/pam_faillock/faillock.conf
new file mode 100644
index 0000000..16d93df
--- /dev/null
+++ b/modules/pam_faillock/faillock.conf
@@ -0,0 +1,62 @@
+# Configuration for locking the user after multiple failed
+# authentication attempts.
+#
+# The directory where the user files with the failure records are kept.
+# The default is /var/run/faillock.
+# dir = /var/run/faillock
+#
+# Will log the user name into the system log if the user is not found.
+# Enabled if option is present.
+# audit
+#
+# Don't print informative messages.
+# Enabled if option is present.
+# silent
+#
+# Don't log informative messages via syslog.
+# Enabled if option is present.
+# no_log_info
+#
+# Only track failed user authentications attempts for local users
+# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
+# The `faillock` command will also no longer track user failed
+# authentication attempts. Enabling this option will prevent a
+# double-lockout scenario where a user is locked out locally and
+# in the centralized mechanism.
+# Enabled if option is present.
+# local_users_only
+#
+# Deny access if the number of consecutive authentication failures
+# for this user during the recent interval exceeds n tries.
+# The default is 3.
+# deny = 3
+#
+# The length of the interval during which the consecutive
+# authentication failures must happen for the user account
+# lock out is <replaceable>n</replaceable> seconds.
+# The default is 900 (15 minutes).
+# fail_interval = 900
+#
+# The access will be re-enabled after n seconds after the lock out.
+# The value 0 has the same meaning as value `never` - the access
+# will not be re-enabled without resetting the faillock
+# entries by the `faillock` command.
+# The default is 600 (10 minutes).
+# unlock_time = 600
+#
+# Root account can become locked as well as regular accounts.
+# Enabled if option is present.
+# even_deny_root
+#
+# This option implies the `even_deny_root` option.
+# Allow access after n seconds to root account after the
+# account is locked. In case the option is not specified
+# the value is the same as of the `unlock_time` option.
+# root_unlock_time = 900
+#
+# If a group name is specified with this option, members
+# of the group will be handled by this module the same as
+# the root account (the options `even_deny_root>` and
+# `root_unlock_time` will apply to them.
+# By default, the option is not set.
+# admin_group = <admin_group_name>
diff --git a/modules/pam_faillock/faillock.conf.5 b/modules/pam_faillock/faillock.conf.5
new file mode 100644
index 0000000..7b4ddb5
--- /dev/null
+++ b/modules/pam_faillock/faillock.conf.5
@@ -0,0 +1,171 @@
+'\" t
+.\" Title: faillock.conf
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 09/03/2021
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "FAILLOCK\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+faillock.conf \- pam_faillock configuration file
+.SH "DESCRIPTION"
+.PP
+\fBfaillock\&.conf\fR
+provides a way to configure the default settings for locking the user after multiple failed authentication attempts\&. This file is read by the
+\fIpam_faillock\fR
+module and is the preferred method over configuring
+\fIpam_faillock\fR
+directly\&.
+.PP
+The file has a very simple
+\fIname = value\fR
+format with possible comments starting with
+\fI#\fR
+character\&. The whitespace at the beginning of line, end of line, and around the
+\fI=\fR
+sign is ignored\&.
+.SH "OPTIONS"
+.PP
+\fBdir=\fR\fB\fI/path/to/tally\-directory\fR\fR
+.RS 4
+The directory where the user files with the failure records are kept\&. The default is
+/var/run/faillock\&.
+.RE
+.PP
+\fBaudit\fR
+.RS 4
+Will log the user name into the system log if the user is not found\&.
+.RE
+.PP
+\fBsilent\fR
+.RS 4
+Don\*(Aqt print informative messages to the user\&. Please note that when this option is not used there will be difference in the authentication behavior for users which exist on the system and non\-existing users\&.
+.RE
+.PP
+\fBno_log_info\fR
+.RS 4
+Don\*(Aqt log informative messages via
+\fBsyslog\fR(3)\&.
+.RE
+.PP
+\fBlocal_users_only\fR
+.RS 4
+Only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc\&.) users\&. The
+\fBfaillock\fR(8)
+command will also no longer track user failed authentication attempts\&. Enabling this option will prevent a double\-lockout scenario where a user is locked out locally and in the centralized mechanism\&.
+.RE
+.PP
+\fBnodelay\fR
+.RS 4
+Don\*(Aqt enforce a delay after authentication failures\&.
+.RE
+.PP
+\fBdeny=\fR\fB\fIn\fR\fR
+.RS 4
+Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds
+\fIn\fR\&. The default is 3\&.
+.RE
+.PP
+\fBfail_interval=\fR\fB\fIn\fR\fR
+.RS 4
+The length of the interval during which the consecutive authentication failures must happen for the user account lock out is
+\fIn\fR
+seconds\&. The default is 900 (15 minutes)\&.
+.RE
+.PP
+\fBunlock_time=\fR\fB\fIn\fR\fR
+.RS 4
+The access will be re\-enabled after
+\fIn\fR
+seconds after the lock out\&. The value 0 has the same meaning as value
+\fInever\fR
+\- the access will not be re\-enabled without resetting the faillock entries by the
+\fBfaillock\fR(8)
+command\&. The default is 600 (10 minutes)\&.
+.sp
+Note that the default directory that
+\fIpam_faillock\fR
+uses is usually cleared on system boot so the access will be also re\-enabled after system reboot\&. If that is undesirable a different tally directory must be set with the
+\fBdir\fR
+option\&.
+.sp
+Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers\&.
+.RE
+.PP
+\fBeven_deny_root\fR
+.RS 4
+Root account can become locked as well as regular accounts\&.
+.RE
+.PP
+\fBroot_unlock_time=\fR\fB\fIn\fR\fR
+.RS 4
+This option implies
+\fBeven_deny_root\fR
+option\&. Allow access after
+\fIn\fR
+seconds to root account after the account is locked\&. In case the option is not specified the value is the same as of the
+\fBunlock_time\fR
+option\&.
+.RE
+.PP
+\fBadmin_group=\fR\fB\fIname\fR\fR
+.RS 4
+If a group name is specified with this option, members of the group will be handled by this module the same as the root account (the options
+\fBeven_deny_root\fR
+and
+\fBroot_unlock_time\fR
+will apply to them\&. By default the option is not set\&.
+.RE
+.SH "EXAMPLES"
+.PP
+/etc/security/faillock\&.conf file example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+deny=4
+unlock_time=1200
+silent
+
+.fi
+.if n \{\
+.RE
+.\}
+.SH "FILES"
+.PP
+/etc/security/faillock\&.conf
+.RS 4
+the config file for custom options
+.RE
+.SH "SEE ALSO"
+.PP
+\fBfaillock\fR(8),
+\fBpam_faillock\fR(8),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_faillock was written by Tomas Mraz\&. The support for faillock\&.conf was written by Brian Ward\&.
diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml
new file mode 100644
index 0000000..04a8410
--- /dev/null
+++ b/modules/pam_faillock/faillock.conf.5.xml
@@ -0,0 +1,253 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="faillock.conf">
+
+ <refmeta>
+ <refentrytitle>faillock.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="faillock.conf-name">
+ <refname>faillock.conf</refname>
+ <refpurpose>pam_faillock configuration file</refpurpose>
+ </refnamediv>
+
+ <refsect1 id="faillock.conf-description">
+
+ <title>DESCRIPTION</title>
+ <para>
+ <emphasis remap='B'>faillock.conf</emphasis> provides a way to configure the
+ default settings for locking the user after multiple failed authentication attempts.
+ This file is read by the <emphasis>pam_faillock</emphasis> module and is the
+ preferred method over configuring <emphasis>pam_faillock</emphasis> directly.
+ </para>
+ <para>
+ The file has a very simple <emphasis>name = value</emphasis> format with possible comments
+ starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
+ of line, and around the <emphasis>=</emphasis> sign is ignored.
+ </para>
+ </refsect1>
+
+ <refsect1 id="faillock.conf-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The directory where the user files with the failure records are kept. The
+ default is <filename>/var/run/faillock</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>audit</option>
+ </term>
+ <listitem>
+ <para>
+ Will log the user name into the system log if the user is not found.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>silent</option>
+ </term>
+ <listitem>
+ <para>
+ Don't print informative messages to the user. Please note that when
+ this option is not used there will be difference in the authentication
+ behavior for users which exist on the system and non-existing users.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>no_log_info</option>
+ </term>
+ <listitem>
+ <para>
+ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>local_users_only</option>
+ </term>
+ <listitem>
+ <para>
+ Only track failed user authentications attempts for local users
+ in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
+ The <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ command will also no longer track user failed
+ authentication attempts. Enabling this option will prevent a
+ double-lockout scenario where a user is locked out locally and
+ in the centralized mechanism.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>nodelay</option>
+ </term>
+ <listitem>
+ <para>
+ Don't enforce a delay after authentication failures.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>deny=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Deny access if the number of consecutive authentication failures
+ for this user during the recent interval exceeds
+ <replaceable>n</replaceable>. The default is 3.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>fail_interval=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The length of the interval during which the consecutive
+ authentication failures must happen for the user account
+ lock out is <replaceable>n</replaceable> seconds.
+ The default is 900 (15 minutes).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>unlock_time=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The access will be re-enabled after
+ <replaceable>n</replaceable> seconds after the lock out.
+ The value 0 has the same meaning as value
+ <emphasis>never</emphasis> - the access
+ will not be re-enabled without resetting the faillock
+ entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.
+ The default is 600 (10 minutes).
+ </para>
+ <para>
+ Note that the default directory that <emphasis>pam_faillock</emphasis>
+ uses is usually cleared on system boot so the access will be also re-enabled
+ after system reboot. If that is undesirable a different tally directory
+ must be set with the <option>dir</option> option.
+ </para>
+ <para>
+ Also note that it is usually undesirable to permanently lock
+ out users as they can become easily a target of denial of service
+ attack unless the usernames are random and kept secret to potential
+ attackers.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>even_deny_root</option>
+ </term>
+ <listitem>
+ <para>
+ Root account can become locked as well as regular accounts.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>root_unlock_time=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ This option implies <option>even_deny_root</option> option.
+ Allow access after <replaceable>n</replaceable> seconds
+ to root account after the account is locked. In case the
+ option is not specified the value is the same as of the
+ <option>unlock_time</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>admin_group=<replaceable>name</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ If a group name is specified with this option, members
+ of the group will be handled by this module the same as
+ the root account (the options <option>even_deny_root</option>
+ and <option>root_unlock_time</option> will apply to them.
+ By default the option is not set.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='faillock.conf-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ /etc/security/faillock.conf file example:
+ </para>
+ <programlisting>
+deny=4
+unlock_time=1200
+silent
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id="faillock.conf-files">
+ <title>FILES</title>
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/security/faillock.conf</filename></term>
+ <listitem>
+ <para>the config file for custom options</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='faillock.conf-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='faillock.conf-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward.
+ </para>
+ </refsect1>
+
+</refentry>
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-19 22:54:01 +0000