summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system-auth.in11
-rw-r--r--system-login.in8
2 files changed, 17 insertions, 2 deletions
diff --git a/system-auth.in b/system-auth.in
index dbb6971..6067ea1 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -1,6 +1,13 @@
#if HAVE_ENV
auth required pam_env.so DEBUG
#endif
+
+#if HAVE_FAILOCK
+auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth sufficient pam_unix.so nullok try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
+#endif
+
#if HAVE_PAM_SSH
auth sufficient pam_ssh.so
#endif
@@ -18,6 +25,10 @@ account required pam_unix.so DEBUG
/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
account optional pam_permit.so
+#if HAVE_FAILLOCK
+account required pam_faillock.so
+#endif
+
#if HAVE_PASSWDQC
password required pam_passwdqc.so min=8,8,8,8,8 retry=3
#endif
diff --git a/system-login.in b/system-login.in
index d93d926..9e82d60 100644
--- a/system-login.in
+++ b/system-login.in
@@ -1,6 +1,9 @@
#if HAVE_FAILLOCK
-auth required pam_faillock.so dir=/var/log deny=3
+auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth sufficient pam_unix.so nullok try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
#endif
+
#if HAVE_SHELLS
auth required pam_shells.so DEBUG
#endif
@@ -19,8 +22,9 @@ account required pam_login_access.so
account required pam_nologin.so DEBUG_NOLOGIN
#endif
account include system-auth
+
#if HAVE_FAILLOCK
-account required pam_faillock.so dir=/var/log deny=3
+account required pam_faillock.so
#endif
password include system-auth