blob: 04a84107a845a01527ce36c734b55ee92e7bad03 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id="faillock.conf">
<refmeta>
<refentrytitle>faillock.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv id="faillock.conf-name">
<refname>faillock.conf</refname>
<refpurpose>pam_faillock configuration file</refpurpose>
</refnamediv>
<refsect1 id="faillock.conf-description">
<title>DESCRIPTION</title>
<para>
<emphasis remap='B'>faillock.conf</emphasis> provides a way to configure the
default settings for locking the user after multiple failed authentication attempts.
This file is read by the <emphasis>pam_faillock</emphasis> module and is the
preferred method over configuring <emphasis>pam_faillock</emphasis> directly.
</para>
<para>
The file has a very simple <emphasis>name = value</emphasis> format with possible comments
starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
of line, and around the <emphasis>=</emphasis> sign is ignored.
</para>
</refsect1>
<refsect1 id="faillock.conf-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
<option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
</term>
<listitem>
<para>
The directory where the user files with the failure records are kept. The
default is <filename>/var/run/faillock</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>audit</option>
</term>
<listitem>
<para>
Will log the user name into the system log if the user is not found.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>silent</option>
</term>
<listitem>
<para>
Don't print informative messages to the user. Please note that when
this option is not used there will be difference in the authentication
behavior for users which exist on the system and non-existing users.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>no_log_info</option>
</term>
<listitem>
<para>
Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>local_users_only</option>
</term>
<listitem>
<para>
Only track failed user authentications attempts for local users
in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
The <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry>
command will also no longer track user failed
authentication attempts. Enabling this option will prevent a
double-lockout scenario where a user is locked out locally and
in the centralized mechanism.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>nodelay</option>
</term>
<listitem>
<para>
Don't enforce a delay after authentication failures.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>deny=<replaceable>n</replaceable></option>
</term>
<listitem>
<para>
Deny access if the number of consecutive authentication failures
for this user during the recent interval exceeds
<replaceable>n</replaceable>. The default is 3.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>fail_interval=<replaceable>n</replaceable></option>
</term>
<listitem>
<para>
The length of the interval during which the consecutive
authentication failures must happen for the user account
lock out is <replaceable>n</replaceable> seconds.
The default is 900 (15 minutes).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>unlock_time=<replaceable>n</replaceable></option>
</term>
<listitem>
<para>
The access will be re-enabled after
<replaceable>n</replaceable> seconds after the lock out.
The value 0 has the same meaning as value
<emphasis>never</emphasis> - the access
will not be re-enabled without resetting the faillock
entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.
The default is 600 (10 minutes).
</para>
<para>
Note that the default directory that <emphasis>pam_faillock</emphasis>
uses is usually cleared on system boot so the access will be also re-enabled
after system reboot. If that is undesirable a different tally directory
must be set with the <option>dir</option> option.
</para>
<para>
Also note that it is usually undesirable to permanently lock
out users as they can become easily a target of denial of service
attack unless the usernames are random and kept secret to potential
attackers.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>even_deny_root</option>
</term>
<listitem>
<para>
Root account can become locked as well as regular accounts.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>root_unlock_time=<replaceable>n</replaceable></option>
</term>
<listitem>
<para>
This option implies <option>even_deny_root</option> option.
Allow access after <replaceable>n</replaceable> seconds
to root account after the account is locked. In case the
option is not specified the value is the same as of the
<option>unlock_time</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>admin_group=<replaceable>name</replaceable></option>
</term>
<listitem>
<para>
If a group name is specified with this option, members
of the group will be handled by this module the same as
the root account (the options <option>even_deny_root</option>
and <option>root_unlock_time</option> will apply to them.
By default the option is not set.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='faillock.conf-examples'>
<title>EXAMPLES</title>
<para>
/etc/security/faillock.conf file example:
</para>
<programlisting>
deny=4
unlock_time=1200
silent
</programlisting>
</refsect1>
<refsect1 id="faillock.conf-files">
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/security/faillock.conf</filename></term>
<listitem>
<para>the config file for custom options</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='faillock.conf-see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 id='faillock.conf-author'>
<title>AUTHOR</title>
<para>
pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward.
</para>
</refsect1>
</refentry>
|