Pam_tally2 counts selecting a different user in lightdm-greeter as failed login attempt (Ubuntu 18.04)

Asked by Dominik Zäuner on 2021-01-07

Due to some other technical limitations, I have to use lightdm and lightdm-greeter on Ubuntu 18.04.5.

I have the new requirement to lock users after 4 unsuccessful login attemtps. So I've made the following changes to configuration:

/etc/pam.d/common-auth: added
auth required pam_tally2.so deny=4 unlock_time=60 onerr=succeed
before the pam_unix.so line

/etc/pam.d/common-account: added
account required pam_tally2.so
before the pam_unix.so line

/etc/pam.d/lightdm:
disabled pam_succeed_if.so user ingroup nopasswdlogin as it is unused but created a warning
disabled all mentions of pam_kwallet*.so as it's not installed

Unfortunately, now every time you select a different user on lightdm-greeter, it is counted as a failed login attempt.

/var/log/auth.log:
lightdm: pam_tally2(lightdm:auth): user user2 (1001) tally 5, deny 4
lightdm: pam_tally2(lightdm:auth): user user1 (1000) tally 5, deny 4
lightdm: pam_tally2(lightdm:auth): user user1 (1000) tally 6, deny 4
lightdm: pam_tally2(lightdm:auth): user user1 (1000) tally 7, deny 4
lightdm: pam_tally2(lightdm:auth): user user2 (1001) tally 6, deny 4
lightdm: pam_tally2(lightdm:auth): user user1 (1000) tally 8, deny 4
lightdm: pam_tally2(lightdm:auth): user user2 (1001) tally 7, deny 4
lightdm: pam_tally2(lightdm:auth): user user1 (1000) tally 9, deny 4

Worst case this means that you are blocked by pam_tally2, wait to be unlocked, click a user, tally counts that and blocks you again. This could result in a situation where all users are blocked from logging in through lightdm-greeter.

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu lightdm Edit question
Assignee:
No assignee Edit question
Last query:
2021-01-07
Last reply:
3 hours ago
Launchpad Janitor (janitor) said : #1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.