blob: 81d2107cad35c17df0f91a883eb07fd1e098f630 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id="faillock">
<refmeta>
<refentrytitle>faillock</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv id="pam_faillock-name">
<refname>faillock</refname>
<refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis id="faillock-cmdsynopsis">
<command>faillock</command>
<arg choice="opt">
--dir <replaceable>/path/to/tally-directory</replaceable>
</arg>
<arg choice="opt">
--user <replaceable>username</replaceable>
</arg>
<arg choice="opt">
--reset
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id="faillock-description">
<title>DESCRIPTION</title>
<para>
The <emphasis>pam_faillock.so</emphasis> module maintains a list of
failed authentication attempts per user during a specified interval
and locks the account in case there were more than
<replaceable>deny</replaceable> consecutive failed authentications.
It stores the failure records into per-user files in the tally
directory.
</para>
<para>
The <command>faillock</command> command is an application which
can be used to examine and modify the contents of the
tally files. It can display the recent failed authentication
attempts of the <replaceable>username</replaceable> or clear the tally
files of all or individual <replaceable>usernames</replaceable>.
</para>
</refsect1>
<refsect1 id="faillock-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
<option>--conf <replaceable>/path/to/config-file</replaceable></option>
</term>
<listitem>
<para>
The file where the configuration is located. The default is
<filename>/etc/security/faillock.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
</term>
<listitem>
<para>
The directory where the user files with the failure records are kept.
</para>
<para>
The priority to set this option is to use the value provided
from the command line. If this isn't provided, then the value
from the configuration file is used. Finally, if neither of
them has been provided, then
<filename>/var/run/faillock</filename> is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--user <replaceable>username</replaceable></option>
</term>
<listitem>
<para>
The user whose failure records should be displayed or cleared.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--reset</option>
</term>
<listitem>
<para>
Instead of displaying the user's failure records, clear them.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="faillock-files">
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/var/run/faillock/*</filename></term>
<listitem>
<para>the files logging the authentication failures for users</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='faillock-see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 id='faillock-author'>
<title>AUTHOR</title>
<para>
faillock was written by Tomas Mraz.
</para>
</refsect1>
</refentry>
|
