PAM faillock and sssd
Bryan Harris
bryanlharris at me.com
Thu Jun 6 18:24:03 UTC 2013
Hi Tomas,
Thanks for your response.
On Jun 06, 2013, at 09:28 AM, Tomas Mraz <tmraz at redhat.com> wrote:
This is not correct, the third pam_faillock line would never be called
as the second line will always fail. So you can remove it.
I see what you're saying, is this because [default=die] causes all return codes to act as though an error happened? But why does the pam_faillock man page say to place the lines in this way? Even more important why can I login successfully with that configuration? Shouldn't I fail to login all the time?
I was under the impression that one of the lines has a success type function and the other one has a failure type function.
And just add
account required pam_faillock.so
line to the beginning of account section. Otherwise the fail count will
never be reset on successful authentication.
I have removed the 3rd line, and I have placed the account line at the beginning of the account section. For some reason now, faillock does not increment new failures for my users. Any ideas?
Bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20130606/c5cafd02/attachment.htm>
More information about the Pam-list
mailing list