I am using solaris 9. I want to lock an account when the number of
continuous failed logins is reaches 5.
Is there a way to do this. I have made the following entry in
/etc/default/login
RETRIES=5
This doesn't seem to be sufficient as the account doens't get locked even
after 5 failed logins.
Is there any other settings that need to be done?
Thanks in advance
|
|
0
|
|
|
|
Reply
|
 __jakal__
|
3/11/2005 5:01:56 AM |
|
On 2005-03-11, __jakal__ <jakal@jakal.com> wrote:
> I am using solaris 9. I want to lock an account when the number of
> continuous failed logins is reaches 5.
> Is there a way to do this. I have made the following entry in
> /etc/default/login
> RETRIES=5
This is just the limit during one login process (see login(1)). This does
not disable the login in question after $RETRIES unsuccessful attempts.
Do you have considered the PAM_login_limit module [1]?
However, I do not think that the implementation of such a policy is a
wise decision. There was once an institution that had a limit of three
unsuccessful tries in a row. An unknown attacker got a list of all
accounts and scripted three invalid login attempts for all of them.
At the next morning nobody could login.
Andreas.
[1] http://www.comsmiths.com.au/pam/
|
|
|
0
|
|
|
|
Reply
|
comp
|
3/11/2005 7:26:05 AM
|
|
__jakal__ wrote:
> I am using solaris 9. I want to lock an account when the number of
> continuous failed logins is reaches 5.
Upgrade to Solaris 10 and edit /etc/security/policy.conf
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)). The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO
|
|
|
0
|
|
|
|
Reply
|
Oscar
|
3/11/2005 1:07:15 PM
|
|
On Fri, 11 Mar 2005, __jakal__ wrote:
> I am using solaris 9. I want to lock an account when the number of
> continuous failed logins is reaches 5.
Not a great idea. HOw will you log in as root to fix things after
some joker deliberately locks out root?
> Is there a way to do this. I have made the following entry in
> /etc/default/login
> RETRIES=5
I don't think SOlaris 9 does this out of the box (although 10 does).
You'll either need some 3rd party SW or upgrade to S10.
HTH,
--
Rich Teer, SCNA, SCSA
President,
Rite Online Inc.
Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich
|
|
|
0
|
|
|
|
Reply
|
Rich
|
3/11/2005 3:22:39 PM
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
25711 articles. 
78 followers. 
3 Replies
892 Views
