Comment 18 for bug 1927796

Tested pam_faillock module for pam on bionic.

Test consisted on setting up pam_faillock with the following configuration, as described in the man page:

/etc/security/faillock.conf file example:
deny=4
unlock_time=1200
silent

/etc/pam.d/config file example:
auth required pam_faillock.so preauth
# optionally use requisite above if you do not want to prompt for the password
# on locked accounts
auth sufficient pam_unix.so
auth [default=die] pam_faillock.so authfail
auth required pam_deny.so
account required pam_faillock.so
# if you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures
account required pam_unix.so

A new user 'joas' was created and its password set. Then, initially, 4 logins were made through ssh and terminal, using the correct password. All were successful.

User 'joas' was, then, logged out and 4 attempts to login with incorrect password were made. Since pam_faillock module was set to lock on the 4th incorrect attempt, another try was done, this time with the correct password.

After confirming that the 'joas' account was locked, by trying, with the correct password, additional times, the superuser account was used to display the account stats ('faillock --user joas') and then used to unlock the 'joas' account ('faillock --user joas --reset').

Then, again 4 logins were made using the correct password, in order to check it was successfully authenticating.

Another test consisted on typing the wrong password 3 times, then typing the correct one, to make sure the PAM module was properly resetting the counter.