Re: PAM faillock and sssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Tomas,

Thanks for your response.

On Jun 06, 2013, at 09:28 AM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote:

This is not correct, the third pam_faillock line would never be called
as the second line will always fail. So you can remove it.
 
I see what you're saying, is this because [default=die] causes all return codes to act as though an error happened?  But why does the pam_faillock man page say to place the lines in this way?  Even more important why can I login successfully with that configuration?  Shouldn't I fail to login all the time?

I was under the impression that one of the lines has a success type function and the other one has a failure type function.

And just add
account required pam_faillock.so
line to the beginning of account section. Otherwise the fail count will
never be reset on successful authentication.
 
I have removed the 3rd line, and I have placed the account line at the beginning of the account section.  For some reason now, faillock does not increment new failures for my users.  Any ideas?
Bryan
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux