Photon OS 3.0 update the maximum failed OS login attempts

A client of mine was looking on how to update the maximum failed OS login attempts because they were having an issue with the monitoring solution locking the root user account on the VMware Unified Access Gateway 2212. This version of the UAG is based on photon OS 3.0.

He asked me to verify where to change the configuration to update the maximum failed OS login attempts. This is normally set at UAG deploy time and there is no option to change it afterwards easily.

Be aware that this is a rather unconventional change because these values shouldn’t be changed from the default, especially if you want to be compliant with CIS audits for example.

This is the default and also the line that you need to change

Open system-auth located in /etc/pam.d

  • deny=3

Change the deny=3 to the maximum value you want. If you change it to 0 (zero) it will never deny based on the maximum failed OS login attempts for all local users

  • even_deny_root

Leave it out if it shouldn’t deny the root user being locked out on the maximum failed OS login

  • unlock_time=86400

Default unlock time for all users

  • root_unlock_time=300

Unlock time for the root user account

Source: https://www.stigviewer.com/stig/vmware_vsphere_6.7_photon_os/2022-09-27/