On Sat, Sep 12, 2020 at 5:41 AM David C. Rankin <drankinatty@xxxxxxxxxxxxxxxxxx> wrote: > > Following the [arch-dev-public] Pam lockout thread, > > Can we just remove the faillock entries from /etc/pam.d/login without > breaking anything if we don't need it at all (like for home computers, etc..) > > The any 3 attempts in 15 minutes which is the default under faillock.conf: > > # The default is 900 (15 minutes). > # fail_interval = 900 > > means that if I mistype a password on login, then 10 minutes later mess up > with sudo, and then 14 minutes later have another slip with sudo, I'm locked > out by faillock. That seems like overkill for home users. It should be limited > to 3 failed logins at a single prompt, not any 3 in 15 minutes. > > # admin_group = <admin_group_name> > > is another option -- but at this point, I'd rather just remove it from the pam > stack. Is that doable? > > -- > David C. Rankin, J.D.,P.E. Succeeding even once should clear the log of failures, thus giving you another three attempts. This seems reasonable to me. Is this not working as advertised?
