1FAILLOCK.CONF(5) Linux-PAM Manual FAILLOCK.CONF(5)
2
3
4
6 faillock.conf - pam_faillock configuration file
7
9 faillock.conf provides a way to configure the default settings for
10 locking the user after multiple failed authentication attempts. This
11 file is read by the pam_faillock module and is the preferred method
12 over configuring pam_faillock directly.
13
14 The file has a very simple name = value format with possible comments
15 starting with # character. The whitespace at the beginning of line, end
16 of line, and around the = sign is ignored.
17
19 dir=/path/to/tally-directory
20 The directory where the user files with the failure records are
21 kept. The default is /var/run/faillock.
22
23 Note: These files will disappear after reboot on systems configured
24 with directory /var/run/faillock mounted on virtual memory.
25
26 audit
27 Will log the user name into the system log if the user is not
28 found.
29
30 silent
31 Don't print informative messages to the user. Please note that when
32 this option is not used there will be difference in the
33 authentication behavior for users which exist on the system and
34 non-existing users.
35
36 no_log_info
37 Don't log informative messages via syslog(3).
38
39 local_users_only
40 Only track failed user authentications attempts for local users in
41 /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. The
42 faillock(8) command will also no longer track user failed
43 authentication attempts. Enabling this option will prevent a
44 double-lockout scenario where a user is locked out locally and in
45 the centralized mechanism.
46
47 nodelay
48 Don't enforce a delay after authentication failures.
49
50 deny=n
51 Deny access if the number of consecutive authentication failures
52 for this user during the recent interval exceeds n. The default is
53 3.
54
55 fail_interval=n
56 The length of the interval during which the consecutive
57 authentication failures must happen for the user account lock out
58 is n seconds. The default is 900 (15 minutes).
59
60 unlock_time=n
61 The access will be re-enabled after n seconds after the lock out.
62 The value 0 has the same meaning as value never - the access will
63 not be re-enabled without resetting the faillock entries by the
64 faillock(8) command. The default is 600 (10 minutes).
65
66 Note that the default directory that pam_faillock uses is usually
67 cleared on system boot so the access will be also re-enabled after
68 system reboot. If that is undesirable a different tally directory
69 must be set with the dir option.
70
71 Also note that it is usually undesirable to permanently lock out
72 users as they can become easily a target of denial of service
73 attack unless the usernames are random and kept secret to potential
74 attackers.
75
76 even_deny_root
77 Root account can become locked as well as regular accounts.
78
79 root_unlock_time=n
80 This option implies even_deny_root option. Allow access after n
81 seconds to root account after the account is locked. In case the
82 option is not specified the value is the same as of the unlock_time
83 option.
84
85 admin_group=name
86 If a group name is specified with this option, members of the group
87 will be handled by this module the same as the root account (the
88 options even_deny_root and root_unlock_time will apply to them. By
89 default the option is not set.
90
92 /etc/security/faillock.conf file example:
93
94 deny=4
95 unlock_time=1200
96 silent
97
98
100 /etc/security/faillock.conf
101 the config file for custom options
102
104 faillock(8), pam_faillock(8), pam.conf(5), pam.d(5), pam(8)
105
107 pam_faillock was written by Tomas Mraz. The support for faillock.conf
108 was written by Brian Ward.
109
110
111
112Linux-PAM 05/07/2023 FAILLOCK.CONF(5)