| View previous topic :: View next topic |
| Author |
Message |
vokiel
Tux's lil' helper
Joined: 01 Oct 2004
Posts: 110
|
 Posted: Sun Jun 06, 2021 7:37 pm Post subject: [SOLVED] PAM account locking |
 |
|
I don't want it .. ever.. How do I disable this?
Sudo stops working, I can't login anywhere and I have to reboot.
_________________
"When you do things right, people won't be sure you've done anything at all."
Last edited by vokiel on Sun Jun 06, 2021 8:26 pm; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3949
|
| Posted: Sun Jun 06, 2021 7:44 pm Post subject: |
|
|
How does it happen?
_________________
 |
|
| Back to top |
|
|
vokiel
Tux's lil' helper
Joined: 01 Oct 2004
Posts: 110
|
| Posted: Sun Jun 06, 2021 7:54 pm Post subject: |
|
|
| alamahant wrote: | | How does it happen? |
it's deny=3, it locks everything up when I mess up the password to sudo 3 times.
Quite horrid feature which just makes me want to kill random processes...
Edit: I just have no idea where it's set so I can remove it.
_________________
"When you do things right, people won't be sure you've done anything at all." |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3949
|
| Posted: Sun Jun 06, 2021 8:01 pm Post subject: |
|
|
Plz do that
| Code: |
echo "<username> ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/<username>
|
This wii enable passwordless sudo
In
/etc/pam.d/system-auth
these are the culprits
| Code: |
auth requisite pam_faillock.so preauth
auth [default=die] pam_faillock.so authfail
account required pam_faillock.so
|
maybe you add a very high deny value
| Code: |
auth requisite pam_faillock.so preauth deny=1000
auth [default=die] pam_faillock.so authfail deny=1000
account required pam_faillock.so
|
But fedeliallalinea's solution is much more elegant and neat.
_________________
Last edited by alamahant on Sun Jun 06, 2021 8:11 pm; edited 4 times in total |
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31461
Location: here
|
| Posted: Sun Jun 06, 2021 8:02 pm Post subject: |
|
|
Maybe set deny = 0 in /etc/security/faillock.conf?
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
vokiel
Tux's lil' helper
Joined: 01 Oct 2004
Posts: 110
|
| Posted: Sun Jun 06, 2021 8:03 pm Post subject: |
|
|
I don't want to disable the password. I want PAM to gtfo.
| fedeliallalinea wrote: | | Maybe set deny = 0 in /etc/security/faillock.conf? |
Ah ha! Pretty sure that's it, thanks a bunch. I'll test it.
_________________
"When you do things right, people won't be sure you've done anything at all." |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Jun 06, 2021 8:20 pm Post subject: |
|
|
| Remove pam. It takes some work. |
|
| Back to top |
|
|
vokiel
Tux's lil' helper
Joined: 01 Oct 2004
Posts: 110
|
| Posted: Sun Jun 06, 2021 8:26 pm Post subject: |
|
|
| Tony0945 wrote: | | Remove pam. It takes some work. |
I wish. Seriously, if there had been a PAM-less installation guide, I would have used it.
/etc/security/faillock.conf is the short hand solution.
_________________
"When you do things right, people won't be sure you've done anything at all." |
|
| Back to top |
|
|
|
Networking & Security
