From aa5451c8cda02e6df3dc089bf813e6acd9878a59 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 25 Nov 2019 01:39:53 -0500
Subject: [PATCH] Lock user accounts after 50 rather than 100 failed login
 attempts.

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
---
 debian/control                             | 2 +-
 usr/lib/security-misc/pam_tally2-info      | 2 +-
 usr/share/pam-configs/tally2-security-misc | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/debian/control b/debian/control
index 1466f43..979da56 100644
--- a/debian/control
+++ b/debian/control
@@ -151,7 +151,7 @@ Description: enhances misc security settings
   * Abort login for users with locked passwords.
  /usr/lib/security-misc/pam-abort-on-locked-password
  .
- * Lock user accounts after 100 failed login attempts using pam_tally2.
+ * Lock user accounts after 50 failed login attempts using pam_tally2.
  /usr/share/pam-configs/tally2-security-misc
  .
   * Logging into the root account from a virtual, serial, whatnot console is
diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info
index b172550..e32b237 100755
--- a/usr/lib/security-misc/pam_tally2-info
+++ b/usr/lib/security-misc/pam_tally2-info
@@ -54,7 +54,7 @@ fi
 
 deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
 ## Example:
-#auth	requisite	pam_tally2.so even_deny_root deny=100 onerr=fail audit debug
+#auth	requisite	pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
 
 for word in $deny_line ; do
    if echo "$word" | grep -q "deny=" ; then
diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc
index d4bd26b..7633971 100644
--- a/usr/share/pam-configs/tally2-security-misc
+++ b/usr/share/pam-configs/tally2-security-misc
@@ -1,10 +1,10 @@
-Name: lock accounts after 100 failed authentication attempts (by package security-misc)
+Name: lock accounts after 50 failed authentication attempts (by package security-misc)
 Default: yes
 Priority: 260
 Auth-Type: Primary
 Auth:
 	optional	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
-	requisite	pam_tally2.so even_deny_root deny=100 onerr=fail audit debug
+	requisite	pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
 Account-Type: Primary
 Account:
 	requisite	pam_tally2.so debug