Limit on PAM authentication tries?

arip
arip
Community Member
in Linux

Currently it seems like I can try to authenticate with PAM to unlock 1Password as many times as I want. I'd like to be able to have fingerprint unlock for 1Password, without allowing unlimited tries, since I don't fully trust the security of the fingerprint reader.

1Password Version: 8.10.0
Extension Version: Not Provided
OS Version: Ubuntu 22.04
Browser:_ Not Provided

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I don't have an answer for you (as I don't have a linux system at hand to test with), but I very strongly suspect that the answer will involve pam_faillock which is a Linux Pluggable Authentication Module specifically designed to configure retry limits and retry delays for things like this.

    But I am merely foreshadowing what I expect people who know better will say.

  • AliH1P
    AliH1P

    Hey @arip, I reached out to some of our developers to get clarification on this. This is typically handled by PAM - we ask PAM to authenticate and it returns a pass/fail. So ultimately, how it authenticates is up to how PAM is configured. You can find some additional details on PAM configurations here: https://linux.die.net/man/8/pam_tally

    Let me know if this helps or if you have any questions.

    Ali

  • arip
    arip
    Community Member

    I agree that it would be best to let PAM handle this, but setting up pam_faillock2 (pam_tally isn't available on Ubuntu 22.04) is not super straightforward, and mucking with the PAM configuration manually is scary and can result in a less secure system.

  • AliH1P
    AliH1P

    Hey @arip, I apologize for my delayed response. I understand your concerns here and will pass your comment along to our developers.

    Let me know if there's anything else we can help with at this time.

    Ali

This discussion has been closed.