diff options
Diffstat (limited to 'modules/pam_faillock/faillock.conf.5')
| -rw-r--r-- | modules/pam_faillock/faillock.conf.5 | 175 |
1 files changed, 0 insertions, 175 deletions
diff --git a/modules/pam_faillock/faillock.conf.5 b/modules/pam_faillock/faillock.conf.5 deleted file mode 100644 index fd257b08..00000000 --- a/modules/pam_faillock/faillock.conf.5 +++ /dev/null @@ -1,175 +0,0 @@ -'\" t -.\" Title: faillock.conf -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> -.\" Date: 05/07/2023 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM -.\" Language: English -.\" -.TH "FAILLOCK\&.CONF" "5" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -faillock.conf \- pam_faillock configuration file -.SH "DESCRIPTION" -.PP -\fBfaillock\&.conf\fR -provides a way to configure the default settings for locking the user after multiple failed authentication attempts\&. This file is read by the -\fIpam_faillock\fR -module and is the preferred method over configuring -\fIpam_faillock\fR -directly\&. -.PP -The file has a very simple -\fIname = value\fR -format with possible comments starting with -\fI#\fR -character\&. The whitespace at the beginning of line, end of line, and around the -\fI=\fR -sign is ignored\&. -.SH "OPTIONS" -.PP -dir=/path/to/tally\-directory -.RS 4 -The directory where the user files with the failure records are kept\&. The default is -/var/run/faillock\&. -.sp -Note: These files will disappear after reboot on systems configured with directory -/var/run/faillock -mounted on virtual memory\&. -.RE -.PP -audit -.RS 4 -Will log the user name into the system log if the user is not found\&. -.RE -.PP -silent -.RS 4 -Don\*(Aqt print informative messages to the user\&. Please note that when this option is not used there will be difference in the authentication behavior for users which exist on the system and non\-existing users\&. -.RE -.PP -no_log_info -.RS 4 -Don\*(Aqt log informative messages via -\fBsyslog\fR(3)\&. -.RE -.PP -local_users_only -.RS 4 -Only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc\&.) users\&. The -\fBfaillock\fR(8) -command will also no longer track user failed authentication attempts\&. Enabling this option will prevent a double\-lockout scenario where a user is locked out locally and in the centralized mechanism\&. -.RE -.PP -nodelay -.RS 4 -Don\*(Aqt enforce a delay after authentication failures\&. -.RE -.PP -deny=n -.RS 4 -Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds -\fIn\fR\&. The default is 3\&. -.RE -.PP -fail_interval=n -.RS 4 -The length of the interval during which the consecutive authentication failures must happen for the user account lock out is -\fIn\fR -seconds\&. The default is 900 (15 minutes)\&. -.RE -.PP -unlock_time=n -.RS 4 -The access will be re\-enabled after -\fIn\fR -seconds after the lock out\&. The value 0 has the same meaning as value -\fInever\fR -\- the access will not be re\-enabled without resetting the faillock entries by the -\fBfaillock\fR(8) -command\&. The default is 600 (10 minutes)\&. -.sp -Note that the default directory that -\fIpam_faillock\fR -uses is usually cleared on system boot so the access will be also re\-enabled after system reboot\&. If that is undesirable a different tally directory must be set with the -\fBdir\fR -option\&. -.sp -Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers\&. -.RE -.PP -even_deny_root -.RS 4 -Root account can become locked as well as regular accounts\&. -.RE -.PP -root_unlock_time=n -.RS 4 -This option implies -\fBeven_deny_root\fR -option\&. Allow access after -\fIn\fR -seconds to root account after the account is locked\&. In case the option is not specified the value is the same as of the -\fBunlock_time\fR -option\&. -.RE -.PP -admin_group=name -.RS 4 -If a group name is specified with this option, members of the group will be handled by this module the same as the root account (the options -\fBeven_deny_root\fR -and -\fBroot_unlock_time\fR -will apply to them\&. By default the option is not set\&. -.RE -.SH "EXAMPLES" -.PP -/etc/security/faillock\&.conf file example: -.sp -.if n \{\ -.RS 4 -.\} -.nf -deny=4 -unlock_time=1200 -silent - -.fi -.if n \{\ -.RE -.\} -.SH "FILES" -.PP -/etc/security/faillock\&.conf -.RS 4 -the config file for custom options -.RE -.SH "SEE ALSO" -.PP -\fBfaillock\fR(8), -\fBpam_faillock\fR(8), -\fBpam.conf\fR(5), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_faillock was written by Tomas Mraz\&. The support for faillock\&.conf was written by Brian Ward\&. |