Unable to change standard three attempts-10 minute lockout; System is not recognizing /etc/security faillock.conf settings

Hi, first time poster here.

I’m using v. 20.2, and I think the GUI for both my desktop environment and the lockscreen is GNOME. I’m having difficulty changing/editing the standard Plugged Authentication Module settings. The last version I used there was no lockout after X attempts. From what I gather, the last PAM update changed the settings reference from something called pam_tally2 to whatever was set on /etc/security faillock.conf.

I referred to these two threads here on this forum and one relevant post on reddit (cannot include links since I’m new) so I can only give the thread IDs:

In all of them, the solution to the problem was to use sudo and edit from a text editor the file: /etc/security/faillock.conf, then look for the value ‘deny’ and set to the desired values of attempts before the lockout begins. I also wanted to change the lockout duration for 10 minutes into a shorter one. My password is long enough that sometimes I end up getting it wrong three times in a row, and a 10 minute wait is too punishing. I wanted to set my number to 10 attempts and only a 1 minute lockout. However, despite changing the values in this file; when I go to test the configuration out by locking my account and giving three bad passwords on the password prompt; I’m still greeted with a message below the password field saying that the account is locked because of three password attempts, and that I will not be able to log in with the correct password if the password is placed within the 10 minute lock down. I get the same results when I switch to tty1 and try to log into my user account from there also.

Here is what I set it to:

Configuration for locking the user after multiple failed
authentication attempts.
The directory where the user files with the failure records are kept.
The default is /var/run/faillock.
dir = /var/run/faillock

Will log the user name into the system log if the user is not found.
Enabled if option is present.

Don’t print informative messages.
Enabled if option is present.

Don’t log informative messages via syslog.
Enabled if option is present.

Only track failed user authentications attempts for local users
in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
The faillock command will also no longer track user failed
authentication attempts. Enabling this option will prevent a
double-lockout scenario where a user is locked out locally and
in the centralized mechanism.
Enabled if option is present.

Deny access if the number of consecutive authentication failures
for this user during the recent interval exceeds n tries.
The default is 3.
deny = 10

The length of the interval during which the consecutive
authentication failures must happen for the user account
lock out is n seconds.
The default is 900 (15 minutes).
fail_interval = 900

The access will be re-enabled after n seconds after the lock out.
The value 0 has the same meaning as value never - the access
will not be re-enabled without resetting the faillock
entries by the faillock command.
The default is 600 (10 minutes).
unlock_time = 60

Root account can become locked as well as regular accounts.
Enabled if option is present.

This option implies the even_deny_root option.
Allow access after n seconds to root account after the
account is locked. In case the option is not specified
the value is the same as of the unlock_time option.
root_unlock_time = 900

If a group name is specified with this option, members
of the group will be handled by this module the same as
the root account (the options even_deny_root> and
root_unlock_time will apply to them.
By default, the option is not set.
admin_group = <admin_group_name>

Is there anything I have missed that is causing manjaro not to recognize my changes?

Thanks in advance.

(edit: sorry about the formatting,the pound symbol from the text editor is causing the text to become bold)


(Hashtag/Pound/Octothorpe) symbols are comments in code will NOT RUN.

I just realized I made a VERY rookie mistake; I tried editing the parameters in faillock.conf that had the # symbol in the beginning. The octothrorpe symbols are just comments and like any script/code, will not count as the instruction, and this applies for any of the configuration files in PAM.

I made a new line within faillock.conf without the # symbol attached and set the parameters


And now the problem has been resolved. Lesson learned.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.