我意识到pam_tally2已被弃用,有利于pam_faillock,但无论如何我都必须使用它。我不明白的是这两个选项之间的区别。它们对我来说听起来相同:
lock_time=n
Always deny for n seconds after failed attempt.
unlock_time=n
Allow access after n seconds after failed attempt. If
this option is used the user will be locked out for the
specified amount of time after he exceeded his maximum
allowed attempts. Otherwise the account is locked until
the lock is removed by a manual intervention of the
system administrator.
答案1
lock_time它的描述说“之后”会更清楚每个尝试失败。”lock_time阻止进一步的登录尝试n登录尝试失败后的秒数。unlock_time阻止登录尝试n允许的最大失败登录尝试次数(使用指定deny=n)后的秒数。
你可以检查源代码来看看unlock_time仅在块中用于检查deny, 和lock_time用于每次理货检查。