How to manage PAM modules with authselect? Issue
pam_faillock rules do not effect managed via authselect.
how to enable authselect feature.
EnvironmentRed Hat Enterprise Linux 8
Root cause
condition within system-auth or password-auth and the with-faillock feature is not enabled.
$ authselect current Profile ID: custom/auth-policy Enabled features: None $ grep "faillock" /etc/authselect/custom/auth-policy/system-auth auth required pam_faillock.so preauth silent deny=3 unlock_time=1800 {include if "with-faillock"} auth required pam_faillock.so authfail deny=3 unlock_time=1800 {include if "with-faillock"} account required pam_faillock.so {include if "with-faillock"} Solution
Enable the with-faillock feature.
authselect enable-feature with-faillock
Verify whether the user is locked.
# faillock --user test test: When Type Source Valid 2021-01-28 07:58:44 RHOST ::1 V 2021-01-28 07:58:48 RHOST ::1 V 2021-01-28 07:58:51 RHOST ::1 V
Logs when the user is locked.
# grep "faillock" /var/log/secure Jan 28 07:58:51 ip-172-31-10-156 sshd[5116]: pam_faillock(sshd:auth): Consecutive login failures for user test account temporarily locked