Limit on PAM authentication tries?

arip

Currently it seems like I can try to authenticate with PAM to unlock 1Password as many times as I want. I'd like to be able to have fingerprint unlock for 1Password, without allowing unlimited tries, since I don't fully trust the security of the fingerprint reader.

---

1Password Version: 8.10.0
Extension Version: Not Provided
OS Version: Ubuntu 22.04
Browser:_ Not Provided

jpgoldberg

I don't have an answer for you (as I don't have a linux system at hand to test with), but I very strongly suspect that the answer will involve pam_faillock which is a Linux Pluggable Authentication Module specifically designed to configure retry limits and retry delays for things like this.

But I am merely foreshadowing what I expect people who know better will say.

AliH1P

Hey @arip, I reached out to some of our developers to get clarification on this. This is typically handled by PAM - we ask PAM to authenticate and it returns a pass/fail. So ultimately, how it authenticates is up to how PAM is configured. You can find some additional details on PAM configurations here: https://linux.die.net/man/8/pam_tally

Let me know if this helps or if you have any questions.

Ali

arip

I agree that it would be best to let PAM handle this, but setting up pam_faillock2 (pam_tally isn't available on Ubuntu 22.04) is not super straightforward, and mucking with the PAM configuration manually is scary and can result in a less secure system.

AliH1P

Hey @arip, I apologize for my delayed response. I understand your concerns here and will pass your comment along to our developers.

Let me know if there's anything else we can help with at this time.

Ali