Locking linux accounts after failed attempts using pam_faillock

Installing and Using OpenWrt
1

Hi,

I am trying to lock linux user accounts after 3 consecutive failed attempts using pam_faillock.

I have updated /etc/pam.d/common-auth to include
#At the very top
auth required pam_faillock.so preauth audit deny=3 unlock_time=30
#At the very bottom
auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=30

I then tried logging in using bad passwords for more than 3 times and did not get locked out.

running the faillock command throws the following error
#faillock
faillock: Error reading tally directory: No such file or directory

So, I created the faillock directory manually
#mkdir -p /var/run/faillock

After this, I see that the entry for the user gets created in that directory, but the file never gets updated with a tally. I tried using other users and see the same behavior. Also, the users never get locked out

#faillock
user1:
When Type Source Valid
root:
When Type Source Valid
user2:
When Type Source Valid

Has anyone run into this issue?

Regards,
Sri

2

Could you clarify how this is related to OpenWrt?

1 Like
3

Hi,

This is indeed a generic Linux issue, but I was able to get the same functionality working on my ubuntu machine but was running into this problem on my openwrt builds - So I figured I will check if there is a known issue or a openwrt specific config I need to update to make it work.

Regards,
Sri

4

Can you give more context about the OpenWrt specific nature of the request?

OpenWrt is defaulted to a single-user configuration. Unless you've got multiple users setup on OpenWrt, locking out the root user would not be wise and that is not something that is implemented here..

1 Like
5

OpenWRT does not use PAM, go find your generic Solaris help someplace else.