|
|
User lockout/disable after x retries
I'm hoping someone can help me with the following.
I've looked in a few places to find out where I can set a user account to be
disabled after x number of retries but the only thing I've found is
concerning this is in the /etc/default/login file the RETRIES entry where
you can set the number of logins tried before it exits.
Whilst this is partway there I would like the account disabled after x
number of retries, is there a way of doing this?
Thanks in advance.
|
|
0
|
|
|
|
Reply
|
 Zizz
|
6/27/2003 1:58:19 PM |
|
"Zizz" <someone@somewhere.blueyonder.co.uk> writes in comp.unix.solaris:
|Whilst this is partway there I would like the account disabled after x
|number of retries, is there a way of doing this?
Solaris doesn't currently provide this - you can install a custom PAM
module to do this if you don't mind the risk of denial of service ("I
don't like Bob, so I'll type his username and hit return 5 times and
he'll be locked out.").
--
________________________________________________________________________
Alan Coopersmith alanc@alum.calberkeley.org
http://www.CSUA.Berkeley.EDU/~alanc/ aka: Alan.Coopersmith@Sun.COM
Working for, but definitely not speaking for, Sun Microsystems, Inc.
|
|
|
0
|
|
|
|
Reply
|
Alan
|
6/27/2003 2:49:28 PM
|
|
Alan Coopersmith wrote:
> "Zizz" <someone@somewhere.blueyonder.co.uk> writes in comp.unix.solaris:
> |Whilst this is partway there I would like the account disabled after x
> |number of retries, is there a way of doing this?
>
> Solaris doesn't currently provide this - you can install a custom PAM
> module to do this if you don't mind the risk of denial of service ("I
> don't like Bob, so I'll type his username and hit return 5 times and
> he'll be locked out.").
>
As discussed (in this group?) disabling user accounts after some
un/succesful logins is always a bad idea, and there are good reasons not
to do it.
There may be some tools that implement this.
<badass>
Give me your ip and i render this machine useless for *all* users :)
</badass>
Martin
|
|
|
0
|
|
|
|
Reply
|
Martin
|
6/27/2003 3:09:40 PM
|
|
On Fri, 27 Jun 2003 17:09:40 +0200, Martin Schoen wrote:
> Alan Coopersmith wrote:
>
>> "Zizz" <someone@somewhere.blueyonder.co.uk> writes in comp.unix.solaris:
>> |Whilst this is partway there I would like the account disabled after x
>> |number of retries, is there a way of doing this?
>>
>> Solaris doesn't currently provide this - you can install a custom PAM
>> module to do this if you don't mind the risk of denial of service ("I
>> don't like Bob, so I'll type his username and hit return 5 times and
>> he'll be locked out.").
>>
>
> As discussed (in this group?) disabling user accounts after some
> un/succesful logins is always a bad idea, and there are good reasons not
> to do it.
It is NOT always a bad idea. You have to take into account all
the risks and trade offs. For some people this is functionality
they want, if some one asks for it at least give them the benefit
of the doubt that they actually needed it.
A properly designed lockout system will be able to mark certains
users as not participating - this ensures that critical admin
accounts will remain accessible. Other possible features are
an auto unlock after a certain time period.
As Alan has said this functionality can be implemented via PAM
modules. SunPS has a set of modules available to implement
this for local files (does not support NIS, NIS+, LDAP [1]) if you
wish to have this functionality.
--
Darren J Moffat - Solaris Security
[1] Implementing a network wide lock counter is not easy.
|
|
|
0
|
|
|
|
Reply
|
Darren
|
7/4/2003 5:04:55 PM
|
|
Darren J Moffat <Darren.Moffat@sun_microsystems.inc> wrote:
> Martin Schoen wrote:
> > Alan Coopersmith wrote:
> >> "Zizz" <someone@somewhere.blueyonder.co.uk> writes in comp.unix.solaris:
> >> |Whilst this is partway there I would like the account disabled after x
> >> |number of retries, is there a way of doing this?
> >>
> >> Solaris doesn't currently provide this - you can install a custom PAM
> >> module to do this if you don't mind the risk of denial of service ("I
> >> don't like Bob, so I'll type his username and hit return 5 times and
> >> he'll be locked out.").
> >
> > As discussed (in this group?) disabling user accounts after some
> > un/succesful logins is always a bad idea, and there are good reasons not
> > to do it.
>
> It is NOT always a bad idea. You have to take into account all
> the risks and trade offs. For some people this is functionality
> they want, if some one asks for it at least give them the benefit
> of the doubt that they actually needed it.
>
> A properly designed lockout system will be able to mark certains
> users as not participating - this ensures that critical admin
> accounts will remain accessible.
In other words, it's a bad idea.
|
|
|
0
|
|
|
|
Reply
|
Cypherpunk
|
7/6/2003 3:14:10 PM
|
|
|
4 Replies
963 Views
(page loaded in 0.002 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
25729 articles. 
78 followers. 