I have managed to configure /etc/security/faillock.conf with the values I want. In this case, it is 5 tries and defined a lockout count of 20 minutes.
After running “authselect enable-feature with-faillock”, I get the below error message.
No existing configuration detected.
I also checked that sssd is running but it says it is dead. Does sssd have to be running for faillock to be running? I also have no pam_faillock.so module in my conf files. Do I need to do some extra configs?
Thanks @iwalker
This is also a solution but seeing that I dont need SSSD, I voted @label solution because it makes it clear I do not need SSSD. So I will just bootstrap the service without SSSD and just use --force to overwrite the existing files.
I have had success with the bootstrapping of the config files. However, after setting unlock_time = 1800 and deny = 5, I can see the deny counts with faillock --user . But when I run passwd -S the password status is still PS and not LK as expected.
Is there an extra config I need to do for authselect?
Extra observations:
-in /var/run/faillock/ I do see so it is locked supposedly.
-I also can login with while it is supposedly locked. So it seems like this is a symbolic lock than the strict lock I need to have.
Where did I go wrong?
