1FAILLOCK.CONF(5)               Linux-PAM Manual               FAILLOCK.CONF(5)
2
3
4

NAME

6       faillock.conf - pam_faillock configuration file
7

DESCRIPTION

9       faillock.conf provides a way to configure the default settings for
10       locking the user after multiple failed authentication attempts. This
11       file is read by the pam_faillock module and is the preferred method
12       over configuring pam_faillock directly.
13
14       The file has a very simple name = value format with possible comments
15       starting with # character. The whitespace at the beginning of line, end
16       of line, and around the = sign is ignored.
17

OPTIONS

19       dir=/path/to/tally-directory
20           The directory where the user files with the failure records are
21           kept. The default is /var/run/faillock.
22
23       audit
24           Will log the user name into the system log if the user is not
25           found.
26
27       silent
28           Don't print informative messages to the user. Please note that when
29           this option is not used there will be difference in the
30           authentication behavior for users which exist on the system and
31           non-existing users.
32
33       no_log_info
34           Don't log informative messages via syslog(3).
35
36       local_users_only
37           Only track failed user authentications attempts for local users in
38           /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. The
39           faillock(8) command will also no longer track user failed
40           authentication attempts. Enabling this option will prevent a
41           double-lockout scenario where a user is locked out locally and in
42           the centralized mechanism.
43
44       nodelay
45           Don't enforce a delay after authentication failures.
46
47       deny=n
48           Deny access if the number of consecutive authentication failures
49           for this user during the recent interval exceeds n. The default is
50           3.
51
52       fail_interval=n
53           The length of the interval during which the consecutive
54           authentication failures must happen for the user account lock out
55           is n seconds. The default is 900 (15 minutes).
56
57       unlock_time=n
58           The access will be re-enabled after n seconds after the lock out.
59           The value 0 has the same meaning as value never - the access will
60           not be re-enabled without resetting the faillock entries by the
61           faillock(8) command. The default is 600 (10 minutes).
62
63           Note that the default directory that pam_faillock uses is usually
64           cleared on system boot so the access will be also re-enabled after
65           system reboot. If that is undesirable a different tally directory
66           must be set with the dir option.
67
68           Also note that it is usually undesirable to permanently lock out
69           users as they can become easily a target of denial of service
70           attack unless the usernames are random and kept secret to potential
71           attackers.
72
73       even_deny_root
74           Root account can become locked as well as regular accounts.
75
76       root_unlock_time=n
77           This option implies even_deny_root option. Allow access after n
78           seconds to root account after the account is locked. In case the
79           option is not specified the value is the same as of the unlock_time
80           option.
81
82       admin_group=name
83           If a group name is specified with this option, members of the group
84           will be handled by this module the same as the root account (the
85           options even_deny_root and root_unlock_time will apply to them. By
86           default the option is not set.
87

EXAMPLES

89       /etc/security/faillock.conf file example:
90
91           deny=4
92           unlock_time=1200
93           silent
94
95

FILES

97       /etc/security/faillock.conf
98           the config file for custom options
99

SEE ALSO

101       faillock(8), pam_faillock(8), pam.conf(5), pam.d(5), pam(8)
102

AUTHOR

104       pam_faillock was written by Tomas Mraz. The support for faillock.conf
105       was written by Brian Ward.
106
107
108
109Linux-PAM Manual                  11/25/2020                  FAILLOCK.CONF(5)
Impressum