Ouch, thanks Marc! Indeed our previous seddery was broken,  it should
have left the pam_deny/pam_permit lines. With this it works just fine:

--- /tmp/common-auth.orig       2022-04-01 07:16:26.072608984 +0200
+++ /tmp/common-auth.faillock   2022-04-01 07:14:20.246707861 +0200
@@ -16,6 +16,8 @@
 # here are the per-package modules (the "Primary" block)
 auth   [success=2 default=ignore]      pam_unix.so nullok
 auth   [success=1 default=ignore]      pam_sss.so use_first_pass
+auth [default=die] pam_faillock.so authfail deny=4
+auth sufficient pam_faillock.so authsucc deny=4
 # here's the fallback if no module succeeds
 auth   requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;


Sorry for the noise!

** Changed in: pam (Ubuntu Jammy)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1966416

Title:
  pam_faillock does not actually deny login after given number of
  failures

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1966416/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to