Patrick Schleizer
|
454e135822
|
pam_tally2.so even_deny_root
|
2019-08-15 07:33:41 +00:00 |
|
Patrick Schleizer
|
63b476221c
|
use requisite rather than required to avoid asking for password needlessly
if login will fail anyhow
|
2019-08-15 07:30:56 +00:00 |
|
Patrick Schleizer
|
a2fa18c381
|
pam_tally2.so deny=100
during testing, due to issues
d17e25272b
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
|
2019-08-10 07:07:28 -04:00 |
|
Patrick Schleizer
|
d17e25272b
|
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.
https://bugzilla.redhat.com/show_bug.cgi?id=707660
https://forums.whonix.org/t/restrict-root-access/7658
|
2019-08-10 06:06:39 -04:00 |
|
Patrick Schleizer
|
0f896a9d8d
|
add onerr=fail audit to pam_tally2
|
2019-08-10 06:05:37 -04:00 |
|
Patrick Schleizer
|
830111e99a
|
split usr/share/pam-configs/security-misc
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
|
2019-08-01 11:04:22 +00:00 |
|