## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. # Configuration for locking the user after multiple failed # authentication attempts. # # The directory where the user files with the failure records are kept. # The default is /var/run/faillock. dir = /var/lib/security-misc/faillock # # Will log the user name into the system log if the user is not found. # Enabled if option is present. audit # # Don't print informative messages. # Enabled if option is present. # silent # # Don't log informative messages via syslog. # Enabled if option is present. # no_log_info # # Only track failed user authentications attempts for local users # in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. # The `faillock` command will also no longer track user failed # authentication attempts. Enabling this option will prevent a # double-lockout scenario where a user is locked out locally and # in the centralized mechanism. # Enabled if option is present. # local_users_only # # Deny access if the number of consecutive authentication failures # for this user during the recent interval exceeds n tries. # The default is 3. deny = 50 # # The length of the interval during which the consecutive # authentication failures must happen for the user account # lock out is n seconds. # The default is 900 (15 minutes). # security-misc note: the interval should be set to infinity if possible, # however pam_faillock arbitrarily limits this variable to a maximum of 604800 # seconds (7 days). See # https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 # for details. Therefore we set this to the maximum allowable value of 7 days. fail_interval = 604800 # # The access will be re-enabled after n seconds after the lock out. # The value 0 has the same meaning as value `never` - the access # will not be re-enabled without resetting the faillock # entries by the `faillock` command. # The default is 600 (10 minutes). unlock_time = never # # Root account can become locked as well as regular accounts. # Enabled if option is present. even_deny_root # # This option implies the `even_deny_root` option. # Allow access after n seconds to root account after the # account is locked. In case the option is not specified # the value is the same as of the `unlock_time` option. # root_unlock_time = 900 # # If a group name is specified with this option, members # of the group will be handled by this module the same as # the root account (the options `even_deny_root>` and # `root_unlock_time` will apply to them. # By default, the option is not set. # admin_group =