我意识到不推荐使用pam_tally2以支持pam_faillock,但无论如何我都必须使用它。我不明白这两个选项之间的区别。它们听起来和我一模一样:
lock_time=n
Always deny for n seconds after failed attempt.
unlock_time=n
Allow access after n seconds after failed attempt. If
this option is used the user will be locked out for the
specified amount of time after he exceeded his maximum
allowed attempts. Otherwise the account is locked until
the lock is removed by a manual intervention of the
system administrator.
更清楚的是,它
lock_time的描述是“每次尝试失败后”。lock_time一旦登录尝试失败,将阻止进一步的登录尝试n秒。在允许的最大失败登录尝试(使用指定)后unlock_time阻止登录尝试ndeny=n秒。您可以查看源代码以查看
unlock_time仅在检查块中deny使用,并且lock_time用于每个计数检查。