On Friday, 12 April 2024 at 13:59 (+0100), Andy Pieters wrote:
The implementation of these timeouts don't provide a method for sending an extra message to the user as to why their login attempt failed, but Linux is open source, so feel free to submit proposals and pull requests to make it more to your liking :-P
In fact, when you attempt to log in from the console while a fail lock has been activated, there is a message printed informing the user that they have used too many password attempts. It even reports the amount of time left on the lock.
I guess that it is up to individual applications that use PAM authentication to find out why their authentication request has been denied, and then decide to tell the user. Having the fail lock refuse authentication using the same API as a wrong password at least provides backwards compatibility for an application like sudo that hasn't added this feature (or has decided not to add it).
Best, Jaron
