Help with PAM and Stable Update 2020-08-28

mezzo · 6 September 2020 20:52

My /etc/pam.d/system-login contains:

auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_tally2.so 
account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so

From what I’ve read so far all I need to do is replace “pam_tally2.so” with “pam_faillock.so”. And change the last line in the file to: “session required pam_env.so user_readenv=1”

Is the above changes correct?

Also, “grep -E “pam_tally|pam_cracklib” /etc/pam.d/*” shows:

/etc/pam.d/passwd:#password     required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
/etc/pam.d/sddm-autologin:auth        required    pam_tally.so file=/var/log/faillog onerr=succeed
/etc/pam.d/system-login:auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
/etc/pam.d/system-login:account    required   pam_tally2.so

Do I change the line in /etc/pam.d/sddm-autologin to be: “auth required pam_faillock” or “auth required faillock file=/var/log/faillog onerr=succeed”

Thanks.

Aragorn · 6 September 2020 21:08

Here are my own copies of the three files. I have not made any modifications to them, and I have not had any login problems since the update.

`/etc/pam.d/system-login`

#%PAM-1.0

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so           user_readenv=1

`/etc/pam.d/system-auth`

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

`/etc/pam.d/sddm-autologin`

#%PAM-1.0
auth        required    pam_env.so
auth        required    pam_faillock.so preauth
auth        required    pam_shells.so
auth        required    pam_nologin.so
auth        required    pam_permit.so
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so
account     include     system-local-login
password    include     system-local-login
session     include     system-local-login
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start