security-misc/usr/share/pam-configs/tally2-security-misc

Name: lock accounts after 5 failed authentication attempts (by package security-misc)
Default: yes
Priority: 260
Auth-Type: Primary
Auth:
	requisite	pam_tally2.so deny=100 onerr=fail audit debug
Account-Type: Primary
Account:
	requisite	pam_tally2.so debug
split usr/share/pam-configs/security-misc into usr/share/pam-configs/tally2-security-misc usr/share/pam-configs/wheel-security-misc 2019-08-01 18:04:22 +07:00			`Name: lock accounts after 5 failed authentication attempts (by package security-misc)`
			`Default: yes`
			`Priority: 260`
			`Auth-Type: Primary`
			`Auth:`
use requisite rather than required to avoid asking for password needlessly if login will fail anyhow 2019-08-15 14:30:56 +07:00			`requisite pam_tally2.so deny=100 onerr=fail audit debug`
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account This is required because otherwise something like "sudo bash" would count as a failed login for pam_tally2 even though it was successful. https://bugzilla.redhat.com/show_bug.cgi?id=707660 https://forums.whonix.org/t/restrict-root-access/7658 2019-08-10 17:06:39 +07:00			`Account-Type: Primary`
			`Account:`
use requisite rather than required to avoid asking for password needlessly if login will fail anyhow 2019-08-15 14:30:56 +07:00			`requisite pam_tally2.so debug`