topic Re: Locking user accounts in Operating System - HP-UX

Locking user accounts

Lynda Badger — Fri, 21 May 2004 10:52:03 GMT

Can you lock account after 3 attempts on an untrusted system. If so does someone have an example script.

thanks in advance,
Lynda

Re: Locking user accounts

curt larson_1 — Fri, 21 May 2004 11:18:56 GMT

don't have a script handy, but can give some direction:

in /etc/profile or elsewhere for csh and cde.

set traps so users cant escape to the shell before doing this

use lastb to get the last bad logins
/usr/bin/lastb -3 ${LOGNAME}

use Mr. Stephenson's calendar script to find the time between now and when the last logins occured

http://www.hpux.ws/merijn/caljd.sh
http://www.hpux.ws/merijn/caljd.pl

if the the bad attemps have happened in a certain amount of time, exit.

They won't be able to login again until a certain amount of time has passed.

to really lock them out (ftp and other things that might use the passwd file) you'll have to do something that will modify the users entry in the password file, maybe a script run by sudo.

Re: Locking user accounts

Steven E. Protter — Fri, 21 May 2004 11:25:08 GMT

This script will do it for any user.

see attachement.

Is called check_rootlogin but can easily be tweaked to work with any user.

SEP

Re: Locking user accounts

Lynda Badger — Fri, 21 May 2004 11:29:52 GMT

Thanks Curt and Steven for your help.

Re: Locking user accounts

WSS — Mon, 07 Aug 2006 06:23:46 GMT

Can someone please tell me where they are putting this script and the syntax for the execution?

Would like to implement this script, so would like to know where it needs to be called from.

Regards,
Trev

Re: Locking user accounts

Anand Sreenivasan — Mon, 07 Aug 2006 14:35:13 GMT

These scripts can be set in a common path which in my servers are /usr/local/bin and with the permission of 755 owned by root. This way, only root can edit but anyone can execute it. Hope this helped..

Re: Locking user accounts

TwoProc — Mon, 07 Aug 2006 14:52:52 GMT

Lynda, sorry to add to your thread,but:

SEP, are running that script with Cron? How often? what command did you use to disable the account? I'd like it disabled (for root), but not for the console. I've got some ideas on how to do this, I was interested to hear how you would do it (b/c of your cool headwear).

Thanks,

John

Re: Locking user accounts

WSS — Tue, 08 Aug 2006 06:41:36 GMT

Anand, Yes of course it needs to reside somewhere on the server, and /usr/local/bin is as good as any ... But it just sits there doing nothing unless something calls it.

Where would this happen? For instance would you put it in each users .profile? I don't think so as this is not read until a successful login. So what do you need to do to have this script working for each user? Where do you execute it from?

Anyone?

Thanks in advance....
Trev