How to enable faillock using authconfig

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7 (RHEL 7)

Issue

1. Executing authconfig command removes the faillock entries from PAM files.
2. Configure faillock for persistent settings in PAM files.

Resolution

1. Enable faillock using authconfig command.

# authconfig --enablefaillock --faillockargs="deny=6 unlock_time=1200" --update

Note :
- For details of faillock arguments, refer man page pam_faillock.
- Above configuration places below line in file /etc/pam.d/password-auth-ac under password stack. This is not the right place, it needs to be corrected manually by referring /etc/pam.d/system-auth. Bug Reference

# auth        required      pam_faillock.so authfail deny=6 unlock_time=1200

2. authconfig command updates file /etc/sysconfig/authconfig.

 # grep -i faillock /etc/sysconfig/authconfig 
 FAILLOCKARGS="deny=6 unlock_time=1200"
 USEFAILLOCK=yes

Root Cause

  • Faillock is not enabled in file /etc/sysconfig/authconfig .
# grep USEFAILLOCK /etc/sysconfig/authconfig
USEFAILLOCK=no

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.