Security on Sol 2.6 - account lockout and Password aging !!

Security on Sol 2.6 - account lockout and Password aging !!

Post by Jay » Sun, 23 Jan 2000 04:00:00



HI

Is there anyway you set the amount of times a user ties to login and fails,
then the account is locked out !

Also when trying to use Password aging on a 2.6 server, even if I try and
create a new user, and then add password aging, I keep getting 'Password
aging is disabled'
I cannot find out, how to Enable-it !!

Help Please !!!

Thanks

Jason

 
 
 

Security on Sol 2.6 - account lockout and Password aging !!

Post by Andrew J. Caine » Mon, 24 Jan 2000 04:00:00




> Is there anyway you set the amount of times a user ties to login and fails,
> then the account is locked out !

As far as I am aware, there is no built-in mechanism for this. The
creation of /var/adm/loginlog will cause login to log all instances of
five or more login failures. One could use this as basis for an automated
lockout.

Having said that, locking accounts because of some number of login
failures is inventing a DOS condition. A more sophisticated approach would
be better, like having an increasing delay between allowed login attempts.

I don't know if Solaris 7 or 8 have improved this area.

I can amuse to see entries appear in loginlog and call the user offering
to help with their login problem.

Quote:> Also when trying to use Password aging on a 2.6 server, even if I try and
> create a new user, and then add password aging, I keep getting 'Password
> aging is disabled'

How are you trying to enable aging?

Take a look at passwd(1). There are three switches for setting the aging
parameters. This is also more flexible that putting the *WEEKS lines in
/etc/default/passwd, since you have a resolution of days rather than
weeks.

--
 ________________________________________________________________________


 
 
 

Security on Sol 2.6 - account lockout and Password aging !!

Post by Andy Gabo » Tue, 25 Jan 2000 04:00:00


From login(1):

See file /etc/default/login

               RETRIES   Sets the number of retries  for  logging
                         in (see pam(3)). The default is 5.

... and other stuff.

Cheers,

Andy

J>HI

J>Is there anyway you set the amount of times a user ties to login and fails,
J>then the account is locked out !

J>Also when trying to use Password aging on a 2.6 server, even if I try and
J>create a new user, and then add password aging, I keep getting 'Password
J>aging is disabled'
J>I cannot find out, how to Enable-it !!

J>Help Please !!!

J>Thanks

J>Jason

--
   +---------------------------------+--------------------------------+

   | Department of Neurology         | FAX   - (530)754-5036          |
   | University of California, Davis |                                |
   +---------------------------------+--------------------------------+

 
 
 

1. Implementing account lockout on Solaris 2.6

 After looking through the Solaris Security and other FAQs, the ASET and
BSM documentation, and general web searches, I have still not found a
'stock' method (read: supported by Sun) to implement automatic account
lockout on Solaris 2.6. I wish to prevent a user from logging in if they
have had a preset number of failed logins within a given timespan, much
like Windows NT does.

 I know that I can go the PAM route and write an authentication handler
to do this for me, but my employer for whatever reason does not wish to
use in-house sofware for this purpose if we can avoid it (I know, I
know.) Has anyone met with success in implementing account lockouts on
Solaris 2.5 - 2.7? Is there a add-on package we have to purchase from
Sun to get that functionality?

Thanks.
--
Jeffrey A. Duffy
Principal Engineer
ACS Services Havelock, NC

2. Ghostscript can't find gs_init.ps file??? Why???

3. password ageing oddity on Solaris 2.6

4. NetBSD 1.3.2 on i386

5. SunOs 2.6 Password Aging

6. Sun X11 screensaver/screen artifacts

7. Sol. 2.6 passwd won't accept any new passwords

8. TCPIP dead after a while!!

9. enabling password aging on SOL 2.2

10. qfull-retries/qfull-retry-interval in Sol 2.5.1 and Sol 2.6

11. Upgrade Sol 2.5.1 to Sol 2.6

12. Sol 2.5.1 and Sol 2.6 compatiblity

13. 2.6 HOW: account whithout password prompting