I am currently running Ubuntu GNOME 15.10 with GNOME 3.18, though I used to (a long while back) run Windows 7, and though Ubuntu is better in most ways, there is still a feature lacking or at least a feature which I haven't found yet…
Is there any way of making it so that on the locked/login screen after a certain number (defined by me) of incorrect password attempts it doesn't allow the user to enter their password for a certain amount of time (defined by me) and also logs this to a log?
So for instance if a user enters an incorrect password 3 times they are not allowed to try again for another 5 minutes and this is also logged to a log defined by me.
It would also be useful if I could also optionally make it so that say the user tries to enter their password and gets it wrong 2 times, if they within the next 5 minutes try again it locks them out for 5 minutes, however if they try again after 5 minutes have gone the counter of incorrect password attempts is reset back to 0.
Is there already such a feature? Or perhaps a way of manually implementing it with a script or something?
Best Answer
Some background info:
User log-ins are handled by the
PAM
system (Pluggable Authentication Module) and in this particular case by thepam_tally
subsystem (to tally the user accounts).As
pam_tally
itself will be deprecated, you should usepam_tally2
, which comes in two parts:pam_tally2.so
being the module that does the authentication itself and which you need to add to thePAM
systempam_tally2
being a stand-alone program that you'll need to display, change and clear individual countsThe parameters of
pam_tally2
you're interested in are:The configuration:
Add the following lines to
/etc/pam.d/login
to lock the account after 3 failed logins (also for theroot
account) and have it unlocked automatically after 50 minutes.After adding the above congiguration, test it and log out and do try to log in 3 times with a bogus password: 60 seconds to wait after first and second attempt and 50 minutes after the third try.