Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

What does the "Valid" column mean in the output of "faillock"?

+2
−0

I was looking into unlocking my login after too many incorrect password attempts. I found this post about it. Doing faillock -user $(whoami) --reset did indeed unlock the login.

However, what exactly is the output of faillock and how do I interpret it?

When I ran it while I was locked out, the output was something like this:

$ faillock
my_username:
When                Type  Source                                         Valid
2023-08-02 14:39:43 TTY   /dev/pts/1                                         V
2023-08-02 14:39:44 TTY   /dev/pts/1                                         V
...

When I run it after unlocking, there are no rows, only a header. I assume this is a list of failed login attempts, but then why is there a tick mark under Valid?

There is a brief man page about this program, but it doesn't mention anything about this "valid" thing.

arch-linux password
posted over 2 years ago
2y ago by AdminBee‭
user card
matthewsnyder‭
2026 reputation 128 80 319 113
History

0 comment threads

1 answer

+2
−0
Worked for matthewsnyder‭

A good explanation is given on the RedHat Customer Portal. TL/DR: The Valid field indicates whether a record counts toward the lockout threshold (V) or not (I).

The key seems to be the meaning of the fail_interval configuration setting. From the manpage of faillock.conf:

deny=n

Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds n. The default is 3.

fail_interval=n

The length of the interval during which the consecutive authentication failures must happen for the user account lock out is n seconds. The default is 900 (15 minutes).

So, pam_faillock will only lock out a user if a number of deny failed attempts were tried within the fail_interval.

However, the "fail" history displayed by faillock may reach further back in time, and show attempts that fall outside of the current fail_interval (i.e. older than fail_interval seconds from "now"). These wouldn't count to the locking threshold, and are therefore "invalid" for the purposes of pam_faillock.

This is not well documented, but can be inferred from the source code of pam_faillock.c

if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
    opts->now - tallies->records[i].time >= opts->fail_interval ) {
        tallies->records[i].status &= ~TALLY_STATUS_VALID;
    } else {
        ++failures;
    }

So, a record in the tally file does not count towards the threshold if the time attribute of the entry is further away from now than the fail_interval (or if the unlock_time has passed since the last lock); instead, the TALLY_STATUS_VALID flag is removed from such a record, which would cause it to be labelled I in the output instead of V.

posted over 2 years ago
2y ago
user card
AdminBee‭
121 reputation 1 6 25 30
History

0 comment threads

Sign up to answer this question »