summaryrefslogtreecommitdiff
path: root/modules/pam_lastlog/README
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_lastlog/README')
-rw-r--r--modules/pam_lastlog/README21
1 files changed, 20 insertions, 1 deletions
diff --git a/modules/pam_lastlog/README b/modules/pam_lastlog/README
index c7149487..38a3065a 100644
--- a/modules/pam_lastlog/README
+++ b/modules/pam_lastlog/README
@@ -1,4 +1,5 @@
-pam_lastlog — PAM module to display date of last login
+pam_lastlog — PAM module to display date of last login and perform inactive
+account lock out
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@@ -10,6 +11,10 @@ login of the user. In addition, the module maintains the /var/log/lastlog file.
Some applications may perform this function themselves. In such cases, this
module is not necessary.
+If the module is called in the auth or account phase, the accounts that were
+not used recently enough will be disallowed to log in. The check is not
+performed for the root account so the root is never locked out.
+
OPTIONS
debug
@@ -52,6 +57,12 @@ showfailed
Display number of failed login attempts and the date of the last failed
attempt from btmp. The date is not displayed when nodate is specified.
+inactive=<days>
+
+ This option is specific for the auth or account phase. It specifies the
+ number of days after the last login of the user when the user will be
+ locked out by the module. The default value is 90.
+
EXAMPLES
Add the following line to /etc/pam.d/login to display the last login time of an
@@ -60,7 +71,15 @@ user:
session required pam_lastlog.so nowtmp
+To reject the user if he did not login during the previous 50 days the
+following line can be used:
+
+ auth required pam_lastlog.so inactive=50
+
+
AUTHOR
pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
+Inactive account lock out added by Tomáš Mráz <tm@t8m.info>.
+