1FAILLOCK.CONF(5) Linux-PAM Manual FAILLOCK.CONF(5)
2
3
4
6 faillock.conf - pam_faillock configuration file
7
9 faillock.conf provides a way to configure the default settings for
10 locking the user after multiple failed authentication attempts. This
11 file is read by the pam_faillock module and is the preferred method
12 over configuring pam_faillock directly.
13
14 The file has a very simple name = value format with possible comments
15 starting with # character. The whitespace at the beginning of line, end
16 of line, and around the = sign is ignored.
17
19 dir=/path/to/tally-directory
20 The directory where the user files with the failure records are
21 kept. The default is /var/run/faillock.
22
23 audit
24 Will log the user name into the system log if the user is not
25 found.
26
27 silent
28 Don't print informative messages to the user. Please note that when
29 this option is not used there will be difference in the
30 authentication behavior for users which exist on the system and
31 non-existing users.
32
33 no_log_info
34 Don't log informative messages via syslog(3).
35
36 local_users_only
37 Only track failed user authentications attempts for local users in
38 /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. The
39 faillock(8) command will also no longer track user failed
40 authentication attempts. Enabling this option will prevent a
41 double-lockout scenario where a user is locked out locally and in
42 the centralized mechanism.
43
44 deny=n
45 Deny access if the number of consecutive authentication failures
46 for this user during the recent interval exceeds n. The default is
47 3.
48
49 fail_interval=n
50 The length of the interval during which the consecutive
51 authentication failures must happen for the user account lock out
52 is n seconds. The default is 900 (15 minutes).
53
54 unlock_time=n
55 The access will be reenabled after n seconds after the lock out.
56 The value 0 has the same meaning as value never - the access will
57 not be reenabled without resetting the faillock entries by the
58 faillock(8) command. The default is 600 (10 minutes).
59
60 Note that the default directory that pam_faillock uses is usually
61 cleared on system boot so the access will be also reenabled after
62 system reboot. If that is undesirable a different tally directory
63 must be set with the dir option.
64
65 Also note that it is usually undesirable to permanently lock out
66 the users as they can become easily a target of denial of service
67 attack unless the usernames are random and kept secret to potential
68 attackers.
69
70 even_deny_root
71 Root account can become locked as well as regular accounts.
72
73 root_unlock_time=n
74 This option implies even_deny_root option. Allow access after n
75 seconds to root account after the account is locked. In case the
76 option is not specified the value is the same as of the unlock_time
77 option.
78
79 admin_group=name
80 If a group name is specified with this option, members of the group
81 will be handled by this module the same as the root account (the
82 options even_deny_root and root_unlock_time will apply to them. By
83 default the option is not set.
84
86 /etc/security/faillock.conf file example:
87
88 deny=4
89 unlock_time=1200
90 silent
91
92
94 /etc/security/faillock.conf
95 the config file for custom options
96
98 faillock(8), pam_faillock(8), pam.conf(5), pam.d(5), pam(8)
99
101 pam_faillock was written by Tomas Mraz. The support for faillock.conf
102 was written by Brian Ward.
103
104
105
106Linux-PAM Manual 12/18/2019 FAILLOCK.CONF(5)