Reboot phone after multiple pam auth failure

Here’s a simple thing you can do to force reboot the phone after 3 failed pin (or sudo, or whatever auth). Provided you encrypt your drive, if someone tries to brute force your phone, they will be dropped into the luks prompt where (hopefully) you have a much stronger passphrase.

First, write a script that will reboot the phone after being called 3 times, in /usr/local/bin/

case "$1" in
                rm -f "$F"
                exit 0
                [ ! -f "$F" ] && echo -n 0 > "$F"
                TRYN=$(cat "$F")
                if [ $TRYN == 3 ]; then
                        rm -f "$F"
                        systemctl reboot
                        echo -n "$TRYN" > "$F"
exit 1 

Make sure it’s owned by root and it has correct permissions

chown root:root /usr/local/bin/
sudo chmod 755 /usr/local/bin/

At that point you should try. Call that script 3 times and the phone should reboot. Calling it with reset should let you run it 3 more times. When everything is fine, you can edit you pam file.

Don’t mess up here, or you won’t be able to sudo anymore. If you want to be safe, open a new terminal/ssh session and drop into a root shell. If you really break it, you can always boot the phone with jumpdrive and fix your mess manually)

First, make a backup of the stock file:

cd /etc/pam.d
sudo cp common-auth common-auth.orig

Then edit common-auth (as root) and make it look like:

## change success=1 to success=2 (skip 2 modules instead of one in case of success)
auth    [success=2 default=ignore] nullok
## add the line below:
auth    optional               seteuid /usr/local/bin/
auth    requisite             
## add the line below:
auth    optional               seteuid /usr/local/bin/ reset
auth    required              
auth    required               unwrap

Then run sudo pam-auth-update (not sure if this one is really required).

That’s it. Now if you fail auth 3 times, the phone will reboot and the drive will be locked, needing your passphrase to decrypt it