| View previous topic :: View next topic |
| Author |
Message |
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
 Posted: Thu Apr 27, 2023 4:21 am Post subject: When locked out, what is the best way to recover please? |
 |
|
Hi,
I'm fairly new to Gentoo and manage to do all sorts of dumb things to my system. This time I locked myself out. I am sure I used the correct PW, and also sure the keymap was correct.
I have learned that there is a system called faillock, that kicks in after a number of failed attempts. It should also reset after certain time has passed.
This was however not the case on my box... So I booted off the ISO, mounted the disk and started to look for the "tally dir". Not sure I found what I was looking for, but tried
| Code: | | faillock --reset --user <my username> --dir /etc/security/faillock.conf |
and quickly realized that the 'faillock.conf' in the example I managed to goggle, infact was a directory (I should have paid more attention to the switches too- before first coffee). It was not on my system, so gave me an error. Where is this directory located in Gentoo? And what is the correct way of handling such situation (root disabled, no other users to login with)
I ended up, as said above booting the ISO, and then
| Code: |
# passwd -l <my username>
# passwd -u <my username>
# passwd <my username>
|
to disable, enable and set a new password...
Please advice if this is not a good/preferred way. Also, is there a faillock.conf somewhere in effect, or is the default (as it seems) to run it with no config file by default?
Thanks |
|
| Back to top |
|
 |
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 541
|
| Posted: Thu Apr 27, 2023 5:58 am Post subject: Re: When locked out, what is the best way to recover please? |
|
|
| G3nt00 wrote: | I'm fairly new to Gentoo and manage to do all sorts of dumb things to my system. This time I locked myself out. I am sure I used the correct PW, and also sure the keymap was correct.
|
What were you doing before locking you out? |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Thu Apr 27, 2023 7:00 am Post subject: Re: When locked out, what is the best way to recover please? |
|
|
| sMueggli wrote: | | G3nt00 wrote: | I'm fairly new to Gentoo and manage to do all sorts of dumb things to my system. This time I locked myself out. I am sure I used the correct PW, and also sure the keymap was correct.
|
What were you doing before locking you out? |
Started an 'emerge @world'. It ran and the screen-lock kicked in. I found myself unable to login at that point |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23092
|
| Posted: Thu Apr 27, 2023 3:06 pm Post subject: |
|
|
| Faillock is to prohibit brute-forcing of passwords. If your first attempt was rejected, this was probably not faillock. I believe I have seen problems where an ill-timed update of PAM-related code can cause a pre-existing xscreensaver process to become unable to validate passwords. That was before xscreensaver-6 though, so that might not happen anymore. |
|
| Back to top |
|
|
duane
Apprentice
Joined: 03 Jun 2002
Posts: 193
Location: Oklahoma City
|
| Posted: Fri Apr 28, 2023 1:06 am Post subject: |
|
|
| Hu wrote: | | I believe I have seen problems where an ill-timed update of PAM-related code can cause a pre-existing xscreensaver process to become unable to validate passwords. |
That still happens to me with i3lock. I just switch to vt2, log in without X, then kill i3lock.
When I'm updating my custom live iso, that I make with grub-mkrescue, I have to re-emerge pam as the last step any time pam updates during an emerge. Otherwise, it refuses to take passwords when the iso is fully assembled. I've no idea why that happens, or why emerging it twice fixes it. |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Fri Apr 28, 2023 2:53 pm Post subject: |
|
|
| Hu wrote: | | Faillock is to prohibit brute-forcing of passwords. If your first attempt was rejected, this was probably not faillock. I believe I have seen problems where an ill-timed update of PAM-related code can cause a pre-existing xscreensaver process to become unable to validate passwords. That was before xscreensaver-6 though, so that might not happen anymore. |
Well, entering VT2 it told me I had to wait X more minutes. That didn't help though, it was as if it just couldn't look up the pw, at all. I do use Yubikeys, but the have played nice so far... |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20588
|
| Posted: Sat Apr 29, 2023 2:55 pm Post subject: |
|
|
Here's what I have in my notes. I've never specified the directory with either faillock or its predecessor. | Code: | Reset authentication failure records for username:
$ faillock --user username --reset
Display authentication failure records for username:
$ faillock --user username |
Finally: | man faillock: | --dir /path/to/tally-directory
The directory where the user files with the failure records are kept. The default is /var/run/faillock. |
And that directory does exist on my systems.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Sun Apr 30, 2023 7:38 am Post subject: |
|
|
| pjp wrote: | Here's what I have in my notes. I've never specified the directory with either faillock or its predecessor. | Code: | Reset authentication failure records for username:
$ faillock --user username --reset
Display authentication failure records for username:
$ faillock --user username |
Finally: | man faillock: | --dir /path/to/tally-directory
The directory where the user files with the failure records are kept. The default is /var/run/faillock. |
And that directory does exist on my systems. |
Thanks, will make a note of that too. I suppose it works from the chroot as well (in case the one aactive account is locked? |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20588
|
| Posted: Wed May 03, 2023 5:56 pm Post subject: |
|
|
| G3nt00 wrote: | | I suppose it works from the chroot as well (in case the one aactive account is locked? |
I haven't experienced the issue in a chroot, but presumably it would occur there too.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Wed May 03, 2023 6:00 pm Post subject: |
|
|
| pjp wrote: | | G3nt00 wrote: | | I suppose it works from the chroot as well (in case the one aactive account is locked? |
I haven't experienced the issue in a chroot, but presumably it would occur there too. |
Well, sorry, I meant resetting in chroot... Or am I overthinking? It would be enough to boot to init=/bin/bash, mount root as rw and reset from there? |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20588
|
| Posted: Wed May 03, 2023 6:31 pm Post subject: |
|
|
Oh, you mean fixing a normal install from within a chroot... rebooting into separate media? I would expect that to work. If you achieve root access to a system, you should be able to reset the lockout (excluding use of SELinux or anything similar).
I've never had a lockout period set so long that I tried anything of that nature. I usually find something to do for 5 minutes then come back :)
On a similar note, it can often be a good idea to open an additional terminal with root access when you make changes to a system. Similarly, when working on systems with a remote connection, opening a secondary connection is also valuable (and if you need root access on the remote system...).
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Wed May 03, 2023 7:11 pm Post subject: |
|
|
| pjp wrote: | Oh, you mean fixing a normal install from within a chroot... rebooting into separate media? I would expect that to work. If you achieve root access to a system, you should be able to reset the lockout (excluding use of SELinux or anything similar).
I've never had a lockout period set so long that I tried anything of that nature. I usually find something to do for 5 minutes then come back 
On a similar note, it can often be a good idea to open an additional terminal with root access when you make changes to a system. Similarly, when working on systems with a remote connection, opening a secondary connection is also valuable (and if you need root access on the remote system...). |
Yeah, I learned about the lockout period too late... So went at it to reset it. If I'd knew I would have just waited as well  |
|
| Back to top |
|
|
djdunn
l33t
Joined: 26 Dec 2004
Posts: 812
|
| Posted: Sat Jun 17, 2023 1:27 am Post subject: |
|
|
If you can login as root just
That resets an account lockout
_________________
“Music is a moral law. It gives a soul to the Universe, wings to the mind, flight to the imagination, a charm to sadness, gaiety and life to everything. It is the essence of order, and leads to all that is good and just and beautiful.”
― Plato |
|
| Back to top |
|
|
G3nt00
Guru
Joined: 09 Apr 2023
Posts: 337
|
| Posted: Sat Jun 17, 2023 7:48 am Post subject: |
|
|
| djdunn wrote: | If you can login as root just
That resets an account lockout |
Well, usually perhaps, but I have the custom to disable root, it's in my first post... Else I do agree with you, would have worked fine as you describe. Didn't know that it resets the lockout though, Thanks! |
|
| Back to top |
|
|
|
Networking & Security
