Ouch, thanks Marc! Indeed our previous seddery was broken, it should
have left the pam_deny/pam_permit lines. With this it works just fine:
--- /tmp/common-auth.orig 2022-04-01 07:16:26.072608984 +0200
+++ /tmp/common-auth.faillock 2022-04-01 07:14:20.246707861 +0200
@@ -16,6 +16,8 @@
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
+auth [default=die] pam_faillock.so authfail deny=4
+auth sufficient pam_faillock.so authsucc deny=4
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
Sorry for the noise!
** Changed in: pam (Ubuntu Jammy)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1966416
Title:
pam_faillock does not actually deny login after given number of
failures
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1966416/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
