PAM - help - force reboot script after unsuccessful login attempts

UPDATE:
I solved my issue. Here is the solution for those who have a similar problem getting reboot/shutdown on lock-screen password failure. Note: that the solution referenced below at cowboyprogrammer probably works for most cases but because of the way i3Lock handles PAM i think that's why it wasn't working for me.

So the issue I eventually got stuck with was that the condition at the end of the wrongpassword.sh script which was based on $PAM_TYPE = "account" would never execute. I confirmed this by making log files. Because it would not execute the failed attempts counter was never reset which let to the situation where X number of fails would cause a shutdown. But so would fail-fail-success-success-fail-success. Where the fails would eventually accumulate to X number and shutdown. What should be happening is if you're at the lockscreen and you enter a wrong password once, but then success the next attempt the counter should go to 0.

To the best of my knowledge this counter bug has to do with the fact that i3lock doesn't utilize the PAM_TYPE, account; it does auth and then backs out (i'm not so sure how PAM works still). I figured the best chance was to somehow handle the counter in the auth state as well.

Looking through some docs I read that requisite will pass control immediately back to the app on a failure so I could increment this way.

Below is my /etc/pam.d/system-auth

auth      optional  pam_exec.so debug <path>/wrongpassword.sh
auth      requisite  pam_unix.so     try_first_pass nullok
auth      required  pam_exec.so debug <path>rightpassword.sh
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

The first line increments the counter and does the threshold check and shutsdown if needed.
The second line is the actual authentication and because it's requisite IF it fails it will not continue but pass control back to i3lock. When the user succeeds then the third line will reset the counter and continue as usual.

So far this solution seems to have the intended behavior for me. If anyone notices any security issue or problem though please let me know. Thanks!


Hi all,

I have full disk encryption but I rarely ever turn off my computer so the weakest link is my lock-screen. I'm on manjaro i3 and using i3locker which uses PAM for authentication.

I would like to have the system shutdown after 3 failed attempts at the lockscreen. I came across this blog post that seemed to have a solution but it didn't work for me. https://cowboyprogrammer.org/2016/09/re … _password/

In the post he references common-auth and common-account. The i3lock script seems to use /etc/pam.d/i3lock which then has an include for /etc/pam.d/system-auth

I tried putting pam_exec.so /script.sh in both the i3lock below the include as well as /etc/pam.d/system-auth and both of them would not reboot the system.

this is my system-auth as it is now:

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

and this is what's in i3lock:

#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'system-auth' configuration file (see /etc/pam.d/login)
#

auth include system-auth

formatted by mod

The script I tried was the one referenced in the blog link above. Can someone help me out in setting this up? Thanks a lot.

And you did remove the # comment at the appropriate line? And did you adapt it to Manjaro?

I solved this for now. Updated my original post. THANKS!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by