What does the "Valid" column mean in the output of "faillock"?

A good explanation is given on the RedHat Customer Portal. TL/DR: The Valid field indicates whether a record counts toward the lockout threshold (V) or not (I).

The key seems to be the meaning of the fail_interval configuration setting. From the manpage of faillock.conf:

deny=n

Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds n. The default is 3.

fail_interval=n

The length of the interval during which the consecutive authentication failures must happen for the user account lock out is n seconds. The default is 900 (15 minutes).

So, pam_faillock will only lock out a user if a number of deny failed attempts were tried within the fail_interval.

However, the "fail" history displayed by faillock may reach further back in time, and show attempts that fall outside of the current fail_interval (i.e. older than fail_interval seconds from "now"). These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of pam_faillock.

This is not well documented, but can be inferred from the source code of pam_faillock.c

if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
    opts->now - tallies->records[i].time >= opts->fail_interval ) {
        tallies->records[i].status &= ~TALLY_STATUS_VALID;
    } else {
        ++failures;
    }

So, a record in the tally file does not count towards the threshold if the time attribute of the entry is further away from now than the fail_interval (or if the unlock_time has passed since the last lock); instead, the TALLY_STATUS_VALID flag is removed from such a record, which would cause it to be labelled I in the output instead of V.

posted 9 months ago

CC BY-SA 4.0

9mo ago

AdminBee‭

81 reputation 1 5 21 28