Description of problem:
This issue has been raised within:
when trying to implement RHEL7 STIG: CCI-002238 rule. pam_faillock PAM module has option 'unlock_time' to specify how long time (in seconds) the account in question should be locked, till it's unlocked again. The maximum / upper border of allowed time specification is one week --
70 #define MAX_TIME_INTERVAL 604800 /* 7 days */
Since RHEL7 STIG: CCI-002238 requires the account to be locked till manually unlocked by system administrator, it's not possible (right now) to implement this rule via pam_faillock module.
Therefore it would be nice if some special value (e.g. zero / 0) would be also accepted to instruct pam_faillock that the account in question shouldn't be unlocked till not performed manually by administrator.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use pam_faillock and try to configure it to require account not to be unlocked till explicitly manually done by system administrator
Maximum allowed value is '604800', e.g. one week.
Maximum allowed value should be "forever" (till not unlocked by sysadmin).
Maybe the value of zero(0) could be used for this case for the case of user account of unprivileged user. This option / value should be forbidden for privileged / root account case.
I need to second this request. It is a total show stopper for my company. We have tried to drop back to pam_tally2 but are having issues with systemd/polkit/X/gdm integration issues.
*** This bug has been marked as a duplicate of bug 1273373 ***