Hi, first time poster here.
I’m using v. 20.2, and I think the GUI for both my desktop environment and the lockscreen is GNOME. I’m having difficulty changing/editing the standard Plugged Authentication Module settings. The last version I used there was no lockout after X attempts. From what I gather, the last PAM update changed the settings reference from something called pam_tally2 to whatever was set on /etc/security faillock.conf.
I referred to these two threads here on this forum and one relevant post on reddit (cannot include links since I’m new) so I can only give the thread IDs:
/t/18775
t/26891
In all of them, the solution to the problem was to use sudo and edit from a text editor the file: /etc/security/faillock.conf, then look for the value ‘deny’ and set to the desired values of attempts before the lockout begins. I also wanted to change the lockout duration for 10 minutes into a shorter one. My password is long enough that sometimes I end up getting it wrong three times in a row, and a 10 minute wait is too punishing. I wanted to set my number to 10 attempts and only a 1 minute lockout. However, despite changing the values in this file; when I go to test the configuration out by locking my account and giving three bad passwords on the password prompt; I’m still greeted with a message below the password field saying that the account is locked because of three password attempts, and that I will not be able to log in with the correct password if the password is placed within the 10 minute lock down. I get the same results when I switch to tty1 and try to log into my user account from there also.
.
Here is what I set it to:
Configuration for locking the user after multiple failed
authentication attempts.
The directory where the user files with the failure records are kept.
The default is /var/run/faillock.
dir = /var/run/faillock
Will log the user name into the system log if the user is not found.
Enabled if option is present.
audit
Don’t print informative messages.
Enabled if option is present.
silent
Don’t log informative messages via syslog.
Enabled if option is present.
no_log_info
Only track failed user authentications attempts for local users
in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
The faillock command will also no longer track user failed
authentication attempts. Enabling this option will prevent a
double-lockout scenario where a user is locked out locally and
in the centralized mechanism.
Enabled if option is present.
local_users_only
Deny access if the number of consecutive authentication failures
for this user during the recent interval exceeds n tries.
The default is 3.
deny = 10
The length of the interval during which the consecutive
authentication failures must happen for the user account
lock out is n seconds.
The default is 900 (15 minutes).
fail_interval = 900
The access will be re-enabled after n seconds after the lock out.
The value 0 has the same meaning as value never - the access
will not be re-enabled without resetting the faillock
entries by the faillock command.
The default is 600 (10 minutes).
unlock_time = 60
Root account can become locked as well as regular accounts.
Enabled if option is present.
even_deny_root
This option implies the even_deny_root option.
Allow access after n seconds to root account after the
account is locked. In case the option is not specified
the value is the same as of the unlock_time option.
root_unlock_time = 900
If a group name is specified with this option, members
of the group will be handled by this module the same as
the root account (the options even_deny_root> and
root_unlock_time will apply to them.
By default, the option is not set.
admin_group = <admin_group_name>
Is there anything I have missed that is causing manjaro not to recognize my changes?
Thanks in advance.
(edit: sorry about the formatting,the pound symbol from the text editor is causing the text to become bold)