pam_faillock: Add more documentation about unlock_time=never option.

2016-04-28 17:10:18 +02:00 · 2016-04-28 17:10:18 +02:00 · be55e6d98b
parent e1caf9a021
commit be55e6d98b
1 changed files with 15 additions and 3 deletions
--- a/pam-1.2.1-faillock.patch
+++ b/pam-1.2.1-faillock.patch
@ -1290,9 +1290,9 @@ diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
 +#endif   /* #ifdef PAM_STATIC */
 +
 diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml
--- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock	2015-06-25 10:42:21.483374875 +0200
-+++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml	2015-10-16 14:04:45.810864576 +0200
-@@ -0,0 +1,396 @@
+--- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock	2016-04-04 16:37:38.696260359 +0200
+++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml	2016-04-28 17:09:04.679596165 +0200
+@@ -0,0 +1,408 @@
 +<?xml version="1.0" encoding='UTF-8'?>
 +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
 +	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
@ -1500,6 +1500,18 @@ diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
 +                  entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.
 +                  The default is 600 (10 minutes).
 +                </para>
+                <para>
+                  Note that the default directory that <emphasis>pam_faillock</emphasis>
+                  uses is usually cleared on system boot so the access will be also reenabled
+                  after system reboot. If that is undesirable a different tally directory
+                  must be set with the <option>dir</option> option.
+                </para>
+                <para>
+                  Also note that it is usually undesirable to permanently lock
+                  out the users as they can become easily a target of denial of service
+                  attack unless the usernames are random and kept secret to potential
+                  attackers.
+                </para>
 +              </listitem>
 +            </varlistentry>
 +            <varlistentry>