I’ve been running on a full disc encryption (Luks) for several years now and it works great. As I’m living in a country where the government can stop by any time to “check on you” and take your device without giving much of a reason (or making a reason up). Recently I realized that my laptop is rarely turned off - so the disk encryption is of little use in that scenario. If I’m not on my laptop I usually lock my screen though.
However, my disk encryption password is much stronger than my login password (and I think its much easier to access a running system).
So I researched how I can escalate the encryption to full disc encyption if someone enters the login password wrong several times.
I found this post on Stackexchange (seems I can’t include links, just search “how-to-configure-a-shutdown-at-the-xth-wrong-entered-password”) and adopted it to the latest pam 1.4.0 changes (pam_faillock) mentioned in this reddit post (search “user_locked_for_10_minutes_after_first_failed”).
Here’s the final code:
auth [success=1 new_authtok_reqd=ok ignore=ignore default=bad] pam_faillock.so onerr=succeed deny=3 even_deny_root unlock_time=30 auth required pam_exec.so /usr/bin/poweroff
From the Stackexchange post:
- success=1 skips the next line preventing the shutdown of the system if pam_faillock succeeds.
- unlock_time=30 unlocks the account automatically after 30 seconds in order to prevent a permanent lockout of your root account.
All it does (as far as I understand) is shut down the system after 3 failed attempts (deny=3) to login to the system.
I pasted this code at the top of /etc/pam.d/login and /etc/pam.d/lightdm (I use lightdm) and tested it in a VM (both lightdm and tty). It seems to work as intended: after 3 failed login attempts the system shuts down.
Is there anything else I need to pay attention to, be aware of or should consider? I have no experience with pam and would like to avoid that I accidently lock myself completly out of my system under certain conditions because of these changes.