pam_tally2 中的 lock_time 和 unlock_time 有什麼區別？

我意識到不推薦使用pam_tally2以支持pam_faillock，但無論如何我都必須使用它。我不明白這兩個選項之間的區別。它們聽起來和我一模一樣：

          lock_time=n
              Always deny for n seconds after failed attempt.

          unlock_time=n
              Allow access after n seconds after failed attempt. If
              this option is used the user will be locked out for the
              specified amount of time after he exceeded his maximum
              allowed attempts. Otherwise the account is locked until
              the lock is removed by a manual intervention of the
              system administrator.

更清楚的是，它lock_time的描述是“每次嘗試失敗後”。lock_time一旦登錄嘗試失敗，將阻止進一步的登錄嘗試n秒。在允許的最大失敗登錄嘗試（使用指定）後unlock_time阻止登錄嘗試ndeny=n秒。

您可以查看原始碼以查看unlock_time僅在檢查塊中deny使用，並且lock_time用於每個計數檢查。

引用自：https://unix.stackexchange.com/questions/672832