I would like to configure the no. of times user will be prompted for password(authentication attempts) for login, before dropping the session. Does PAM support this case, if so can you help me out with the configuration required for this ?
Linux – How to control authentication attempts in PAM
authenticationlinuxloginpam
Best Answer
There is a login counter module for PAM called
pam_tally
which can be used maintain a count of attempted login attempts, and block further attempts if a certain number of login attempts fail.Example:
On Debian you could add the following lines to
/etc/pam.d/common-auth
to give users three login attempts before the account is locked:The
no_magic_root
prevents the root user from being locked out.As peterph pointed out, the
unlock_time
option can be used to specify a number of seconds after which a locked-out account will automatically be unlocked. By setting this option to1
, i.e. locking the account for one second, the login attempt can be aborted after a specified number of tries, while still allowing the user to retry (almost) immediately.Adding the following line to
/etc/pam.d/common-account
will reset the login count on a successful login:On Fedora, both lines can be added to
/etc/pam.d/system-auth
.Access to a locked-out
user
account can be restored with the accompanyingpam_tally
utility as follows: