faillock.conf(5)

NAME#

faillock.conf - pam_faillock configuration file

DESCRIPTION#

faillock.conf provides a way to configure the default settings for locking the user after multiple failed authentication attempts. This file is read by the pam_faillock module and is the preferred method over configuring pam_faillock directly.

The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = sign is ignored.

OPTIONS#

dir=/path/to/tally-directory

Note: These files will disappear after reboot on systems configured with directory /var/run/faillock mounted on virtual memory.

audit

silent

no_log_info

local_users_only

nodelay

deny=n

fail_interval=n

unlock_time=n

Note that the default directory that pam_faillock uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the dir option.

Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers.

even_deny_root

root_unlock_time=n

admin_group=name

EXAMPLES#

/etc/security/faillock.conf file example:

deny=4
unlock_time=1200
silent
\n

FILES#

/etc/security/faillock.conf

SEE ALSO#

faillock(8), pam_faillock(8), pam.conf(5), pam.d(5), pam(8)

AUTHOR#

pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward.