https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196116#M165722 The only way is trusted. I wasn't around with the dinosaurs, but I do remember reading about these custom logins. <BR /><BR />signed T-Rex Wed, 18 Feb 2004 18:02:15 GMT Michael Tully 2004-02-18T18:02:15Z https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196113#M165719 Is there a way to limit the number of times a password can fail before the account is automatically locked? I see /etc/default/security, but no way to handle that particular parameter.<BR /><BR />Perhaps a trusted system is the only way? Wed, 18 Feb 2004 17:45:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196113#M165719 jmb 2004-02-18T17:45:39Z https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196114#M165720 Unless you feel up to writing your own custom login program and a database to keep up with login attempts then Trusted is your only option. In the Old Days of UNIX, when dinosaurs roamed the Earth, it was quite common to do your own login.<BR /> Wed, 18 Feb 2004 17:57:55 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196114#M165720 A. Clay Stephenson 2004-02-18T17:57:55Z https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196115#M165721 Hi,<BR /><BR />I believe you cannot enforce the account lockout on bad login attempts without converting the system to trusted. You can apply quite a few restrictions with /etc/default/security (man security for more information). But this feature is available with trusted systems.<BR /><BR />-Sri Wed, 18 Feb 2004 18:01:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196115#M165721 Sridhar Bhaskarla 2004-02-18T18:01:03Z https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196116#M165722 The only way is trusted. I wasn't around with the dinosaurs, but I do remember reading about these custom logins. <BR /><BR />signed T-Rex Wed, 18 Feb 2004 18:02:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196116#M165722 Michael Tully 2004-02-18T18:02:15Z https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196117#M165723 OK, that's what I thought..<BR /><BR />And on a related issue, are there any "gotchas" with converting to trusted? I've read previous threads about losing current passwords, and also keeping a couple of root sessions going until after the conversion.<BR /><BR />Can this be convert be done on larger, older (11.0, 11i)) systems with relative ease? Any reasons to NOT do it? Wed, 18 Feb 2004 18:08:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196117#M165723 jmb 2004-02-18T18:08:10Z https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196118#M165724 Hi,<BR /><BR />This can be done relatively easy. Make sure the following<BR /><BR />1. encrypted password entries from /etc/passwd are not being used by anything on the system.<BR />2. User accounts will be immediately expired. After converting the system to trusted, immediately un-expire the passwords. You can do it through either by SAM or with the command '/usr/lbin/modprdef -m exptm=0"<BR /><BR />You may face issues with the users that have the passwords longer than 8 chars before. Ask them use only the first 8 chars until they change their passwords.<BR /><BR />You can use the command 'tsconvert' to convert and 'tsconvert -r' to unconvert.<BR /><BR />-Sri Wed, 18 Feb 2004 18:17:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/limit-login-attempts-without-trusted-system/m-p/3196118#M165724 Sridhar Bhaskarla 2004-02-18T18:17:50Z