Hi Tomas,
Thanks for your response.
On Jun 06, 2013, at 09:28 AM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote:
This is not correct, the third pam_faillock line would never be called
as the second line will always fail. So you can remove it.
I see what you're saying, is this because [default=die] causes all return codes to act as though an error happened? But why does the pam_faillock man page say to place the lines in this way? Even more important why can I login successfully with that configuration? Shouldn't I fail to login all the time?
I was under the impression that one of the lines has a success type function and the other one has a failure type function.
And just add
account required pam_faillock.so
line to the beginning of account section. Otherwise the fail count will
never be reset on successful authentication.
I have removed the 3rd line, and I have placed the account line at the beginning of the account section. For some reason now, faillock does not increment new failures for my users. Any ideas?
Bryan
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list