On Thu, 2013-06-06 at 18:24 +0000, Bryan Harris wrote: > Hi Tomas, > > Thanks for your response. > > On Jun 06, 2013, at 09:28 AM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote: > > This is not correct, the third pam_faillock line would never be called > as the second line will always fail. So you can remove it. > > I see what you're saying, is this because [default=die] causes all > return codes to act as though an error happened? But why does the As though an error happened > pam_faillock man page say to place the lines in this way? Even more > important why can I login successfully with that configuration? > Shouldn't I fail to login all the time? Nope, because the 'sufficient' pam_unix and pam_sss modules will just terminate the PAM stack execution with success when the user gives correct password. Please study the pam.conf manual page. > I was under the impression that one of the lines has a success type > function and the other one has a failure type function. The success function of the module should be called if the module that does the password verification succeeds (how to do can be seen in the first example in the pam_faillock manpage). However this makes the configuration more complicated if you have multiple such modules as in your case. > And just add > account required pam_faillock.so > line to the beginning of account section. Otherwise the fail count will > never be reset on successful authentication. > > I have removed the 3rd line, and I have placed the account line at the > beginning of the account section. For some reason now, faillock does > not increment new failures for my users. Any ideas? I'd have to see your current PAM config to tell. Also you need to examine the failures before you login successfully with that user - because the account required pam_faillock.so will reset the failures once the user successfully authenticates. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list