Here’s a simple thing you can do to force reboot the phone after 3 failed pin (or sudo, or whatever auth). Provided you encrypt your drive, if someone tries to brute force your phone, they will be dropped into the luks prompt where (hopefully) you have a much stronger passphrase.
First, write a script that will reboot the phone after being called 3 times, in /usr/local/bin/on_auth_failure.sh
#!/bin/bash
F="/tmp/.auth_failure_counter"
case "$1" in
reset)
rm -f "$F"
exit 0
;;
*)
[ ! -f "$F" ] && echo -n 0 > "$F"
TRYN=$(cat "$F")
TRYN=$((TRYN+1))
if [ $TRYN == 3 ]; then
rm -f "$F"
systemctl reboot
else
echo -n "$TRYN" > "$F"
fi
;;
esac
exit 1
Make sure it’s owned by root and it has correct permissions
chown root:root /usr/local/bin/on_auth_failure.sh
sudo chmod 755 /usr/local/bin/on_auth_failure.sh
At that point you should try. Call that script 3 times and the phone should reboot. Calling it with reset should let you run it 3 more times. When everything is fine, you can edit you pam file.
Don’t mess up here, or you won’t be able to sudo anymore. If you want to be safe, open a new terminal/ssh session and drop into a root shell. If you really break it, you can always boot the phone with jumpdrive and fix your mess manually)
First, make a backup of the stock file:
cd /etc/pam.d
sudo cp common-auth common-auth.orig
Then edit common-auth (as root) and make it look like:
## change success=1 to success=2 (skip 2 modules instead of one in case of success)
auth [success=2 default=ignore] pam_unix.so nullok
## add the line below:
auth optional pam_exec.so seteuid /usr/local/bin/on_auth_failure.sh
auth requisite pam_deny.so
## add the line below:
auth optional pam_exec.so seteuid /usr/local/bin/on_auth_failure.sh reset
auth required pam_permit.so
auth required pam_ecryptfs.so unwrap
Then run sudo pam-auth-update (not sure if this one is really required).
That’s it. Now if you fail auth 3 times, the phone will reboot and the drive will be locked, needing your passphrase to decrypt it