Goal

• Faillock locked accounts should not be unlocked by automated services (e.g. crond and systemd-user)
  • As a user, I don't want failed login on my account to be reset by automated services, so that I can prevent brute force password guessing attack.

Acceptance Criteria

• When the account is locked by faillock:
  • Verify that crond won't unlock faillock
  • Verify that systemd-user won't unlock faillock.

Additional information

Following PAM rule unlock faillock unconditionally

account     required                                     pam_faillock.so 

While in usual PAM workflow, faillock locked account will be stop at auth stage.
However, the automated services such as crond and systemd-user skips the auth stage and go straight to the account stage, thus execute above rule and unlock the account.

The proposed change is to insert the following line before above rule like:

account     [success=1 default=ignore]                  pam_succeed_if.so service in crond:systemd-user
account     required                                     pam_faillock.so 

This prevent crond and systemd-user to run pam_faillock to unlock account