How can I set a limit for incorrect password attempts for GDM lock screen before action is taken?
Solution 1:
Some background info:
User log-ins are handled by the PAM
system (Pluggable Authentication Module) and in this particular case by the pam_tally
subsystem (to tally the user accounts).
As pam_tally
itself will be deprecated, you should use pam_tally2
, which comes in two parts:
-
pam_tally2.so
being the module that does the authentication itself and which you need to add to thePAM
system -
pam_tally2
being a stand-alone program that you'll need to display, change and clear individual counts
The parameters of pam_tally2
you're interested in are:
deny=n
Deny access if tally for this user exceeds n.
lock_time=n
Always deny for n seconds after failed attempt.
unlock_time=n
Allow access after n seconds after failed attempt. If this
option is used the user will be locked out for the specified
amount of time after he exceeded his maximum allowed attempts.
Otherwise the account is locked until the lock is removed by a
manual intervention of the system administrator.
magic_root
If the module is invoked by a user with uid=0 the counter is
not incremented.
even_deny_root
Root account can become unavailable.
The configuration:
Add the following lines to /etc/pam.d/login
to lock the account after 3 failed logins (also for the root
account) and have it unlocked automatically after 50 minutes.
auth required pam_securetty.so
auth required pam_tally2.so deny=3 even_deny_root lock_time=60 unlock_time=3000
auth required pam_env.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_limits.so
session required pam_unix.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
After adding the above congiguration, test it and log out and do try to log in 3 times with a bogus password: 60 seconds to wait after first and second attempt and 50 minutes after the third try.