I solved my issue. Here is the solution for those who have a similar problem getting reboot/shutdown on lock-screen password failure. Note: that the solution referenced below at cowboyprogrammer probably works for most cases but because of the way i3Lock handles PAM i think that's why it wasn't working for me.
So the issue I eventually got stuck with was that the condition at the end of the wrongpassword.sh script which was based on $PAM_TYPE = "account" would never execute. I confirmed this by making log files. Because it would not execute the failed attempts counter was never reset which let to the situation where X number of fails would cause a shutdown. But so would fail-fail-success-success-fail-success. Where the fails would eventually accumulate to X number and shutdown. What should be happening is if you're at the lockscreen and you enter a wrong password once, but then success the next attempt the counter should go to 0.
To the best of my knowledge this counter bug has to do with the fact that i3lock doesn't utilize the PAM_TYPE, account; it does auth and then backs out (i'm not so sure how PAM works still). I figured the best chance was to somehow handle the counter in the auth state as well.
Looking through some docs I read that requisite will pass control immediately back to the app on a failure so I could increment this way.
Below is my /etc/pam.d/system-auth
auth optional pam_exec.so debug <path>/wrongpassword.sh auth requisite pam_unix.so try_first_pass nullok auth required pam_exec.so debug <path>rightpassword.sh auth optional pam_permit.so auth required pam_env.so account required pam_unix.so account optional pam_permit.so account required pam_time.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session required pam_unix.so session optional pam_permit.so
The first line increments the counter and does the threshold check and shutsdown if needed.
The second line is the actual authentication and because it's requisite IF it fails it will not continue but pass control back to i3lock. When the user succeeds then the third line will reset the counter and continue as usual.
So far this solution seems to have the intended behavior for me. If anyone notices any security issue or problem though please let me know. Thanks!
I have full disk encryption but I rarely ever turn off my computer so the weakest link is my lock-screen. I'm on manjaro i3 and using i3locker which uses PAM for authentication.
I would like to have the system shutdown after 3 failed attempts at the lockscreen. I came across this blog post that seemed to have a solution but it didn't work for me. https://cowboyprogrammer.org/2016/09/re … _password/
In the post he references common-auth and common-account. The i3lock script seems to use /etc/pam.d/i3lock which then has an include for /etc/pam.d/system-auth
I tried putting pam_exec.so /script.sh in both the i3lock below the include as well as /etc/pam.d/system-auth and both of them would not reboot the system.
this is my system-auth as it is now:
auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so account required pam_unix.so account optional pam_permit.so account required pam_time.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session required pam_unix.so session optional pam_permit.so and this is what's in i3lock: # # PAM configuration file for the i3lock screen locker. By default, it includes # the 'system-auth' configuration file (see /etc/pam.d/login) # auth include system-auth
formatted by mod
The script I tried was the one referenced in the blog link above. Can someone help me out in setting this up? Thanks a lot.