Shutdown Laptop after failed login attempts (and fall back to LUKS)

Hi,

I’ve been running on a full disc encryption (Luks) for several years now and it works great. As I’m living in a country where the government can stop by any time to “check on you” and take your device without giving much of a reason (or making a reason up). Recently I realized that my laptop is rarely turned off - so the disk encryption is of little use in that scenario. If I’m not on my laptop I usually lock my screen though.

However, my disk encryption password is much stronger than my login password (and I think its much easier to access a running system).

So I researched how I can escalate the encryption to full disc encyption if someone enters the login password wrong several times.

I found this post on Stackexchange (seems I can’t include links, just search “how-to-configure-a-shutdown-at-the-xth-wrong-entered-password”) and adopted it to the latest pam 1.4.0 changes (pam_faillock) mentioned in this reddit post (search “user_locked_for_10_minutes_after_first_failed”).

Here’s the final code:

auth [success=1 new_authtok_reqd=ok ignore=ignore default=bad] pam_faillock.so onerr=succeed deny=3 even_deny_root unlock_time=30
auth required pam_exec.so /usr/bin/poweroff

From the Stackexchange post:

• success=1 skips the next line preventing the shutdown of the system if pam_faillock succeeds.
• unlock_time=30 unlocks the account automatically after 30 seconds in order to prevent a permanent lockout of your root account.

All it does (as far as I understand) is shut down the system after 3 failed attempts (deny=3) to login to the system.

I pasted this code at the top of /etc/pam.d/login and /etc/pam.d/lightdm (I use lightdm) and tested it in a VM (both lightdm and tty). It seems to work as intended: after 3 failed login attempts the system shuts down.

Is there anything else I need to pay attention to, be aware of or should consider? I have no experience with pam and would like to avoid that I accidently lock myself completly out of my system under certain conditions because of these changes.

Please read this for the future, but I found it already :

Yeah, looks good!

I would have solved your issue completely different though:

• When someone asks me not to touch anything, just slam the thing shut and have the machine hibernate when the lid is closed and raise your arms and say "I didn’t touch anything!*, unplug it from power and hand it to them.

(Or maybe you can do both!)

Thank you, will keep that in mind.

here are the links for anyone who finds this in the future:
StackExchange: https://unix.stackexchange.com/questions/511503/how-to-configure-a-shutdown-at-the-xth-wrong-entered-password
Reddit: https://www.reddit.com/r/gnome/comments/ikobgg/user_locked_for_10_minutes_after_first_failed/

Thanks!

Haha, yes that can be an option - but if they enter at night or when you’re not at home this won’t work

I’ve marked this answer as the solution to your question as it is by far the best answer you’ll get.

However, if you disagree with my choice, please feel free to take any other answer as the solution to your question or even remove the solution altogether: You are in control! (If you disagree with my choice, just send me a personal message and explain why I shouldn’t have done this or or if you agree)

P.S. In the future, please don’t forget to come back and click the 3 dots below the answer to mark a solution like this below the answer that helped you most:

so that the next person that has the exact same problem you just had will benefit from your post as well as your question will now be in the “solved” status.

This idea looks pretty interesting. I cannot add much here, just suggest more testing in VM or on some test user, not your main account.

I have implemented this on my live system now and it seems to work. Will report back if I’d run into issues. Thanks for the feedback!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.