我正在运行 Ubuntu 20.04 LTS。我pam_faillock
通过在文件中添加以下两行来启用该模块/etc/pam.d/common-auth
。
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
我在下面添加这些行
auth [success=2 default=ignore]
pam_unix.so nullok
以上:
auth [success=1 default=ignore]
psm_sss.so use_first_pass
下面发布/etc/pam.d/common-auth
了我的更改,注释掉了。
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
#auth [default=die] pam_faillock.so authfail
#auth sufficient pam_faillock.so authsucc
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
auth required pam_faildelay.so delay=4000000
# end of pam-auth-update config
添加这些行后,我取消注释以下行/etc/security/faillock.conf
audit
silent
deny = 3
fail_interval = 900
unlock_time = 0
这些更改后,我重新启动,当我重新启动后尝试登录时,它告诉我密码不正确。 (是的,我已经验证这不是一个坏密码)我不是这个领域最强大的,我不确定是什么导致了这种情况的发生。
答案1
我已取消注释您的行并将它们放在我认为现在正确的位置。我还移动了其他一两行来修复身份验证流程。
# here are the per-package modules (the "Primary" block)
auth [success=4 default=ignore] pam_unix.so nullok
auth [success=3 default=ignore] pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail
auth required pam_faildelay.so delay=4000000
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
auth sufficient pam_faillock.so authsucc
# end of pam-auth-update config
请注意,我还更改了前两auth
行 -[success=N]
告诉 PAM 在成功时跳转 N 条规则,因此从pam_unix
或成功pam_sss
将跳转到pam_permit
,失败将带您到pam_faillock
、pam_faildelay
和pam_deny
。
我无法测试这个,因为我还没有pam_faillock
安装。因此,要对此进行测试,请首先在系统上打开 root shell,并且除了更改 PAM 配置文件之外不要触摸它。
使用第二个终端会话,尝试登录等,并测试它是否有效。
如果没有,您将打开第一个会话以准备恢复您的更改。在您完全确定您拥有有效的配置之前,请勿关闭此会话。