> FYI, the "idiotic default" may feel less annoying when you use the documented solution Would be great if one got this as an error message when the logins start timing out. Unfortunately that's not the case, the UX is beyond terrible, you get the same identical error for a WRONG password as for the TIMED OUT password, making people waste time and be frustrated to the point of going on mailing lists. It serves no purpose other than a terrible protection layer for people using insecure bruteforcable passwords, but it REALLY isn't much better that instead you can just DOS user logins instead, and users do it by accident, with no information that it happened. Someone with spare time should raise some complaints on the appropriate issue trackers, if they weren't already. It's much less annoying when you revert to the old behavior and just disable it: https://gitlab.com/C0rn3j/configs/-/blob/ebac36cd8508d71a5d759b326a3c23f9c03c79f3/roles/config_misc/tasks/main.yaml#L62-75 https://gitlab.com/C0rn3j/configs/-/blob/ebac36cd8508d71a5d759b326a3c23f9c03c79f3/roles/config_misc/files/faillock.conf Martin On Fri, Apr 12, 2024 at 10:31 AM Jaron Kent-Dobias <jaron@xxxxxxxxxxxxxxx> wrote: > > On Friday, 12 April 2024 at 10:10 (+0200), Martin Rys wrote: > >Are you sure you're not just hitting the new(old at this point) idiotic > >default of always failing after X failed attempts in Y time? That would > >mean you mistyped the password a few times, but afterwards it would not > >matter even if you typed it correctly. > > > >Rebooting will get you out of the timelock > > FYI, the "idiotic default" may feel less annoying when you use the > documented solution: > > $ faillock --reset > > as your user will reset the counter. So, if you make some mistypes while > invoking sudo, you can unlock use of your password instantly from the > same shell where you messed up. > > On the other hand, if you're locked out while logging in, before you > have access to a shell, then running > > # faillock --reset --user [your username] > > as root will do the same. Note that by default root has no fail lock, so > this solution should always be possible. > > I hope this saves you a few reboots. > > Best, > Jaron >
