topic Re: AUTH_MAXTRIES question in Operating System - HP-UX

AUTH_MAXTRIES question

Main Group — Thu, 09 Sep 2010 20:57:38 GMT

I have a concern that setting AUTH_MAXTRIES to a non-zero value will result in an escalation of user calls due to locked account. (There's also a worry that implementing this could allow a type of denial of service attack.)

What I would like to do is satisfy the spirit of the configuration setting, while not requiring SysAdmin intervention. To do that, I'd like for locked accounts to be automatically released after a relatively brief period of time (enough to deter an attacker, but not enough to bring work to a halt). However, it doesn't appear that the userdbget command provides the type of information I'd need to implement a cron job to unlock lockouts.

Has anybody scripted a method for implementing this? Do I need to delve into the /var/adm/userdb entries? Thank you.

Re: AUTH_MAXTRIES question

Main Group — Mon, 13 Sep 2010 16:10:53 GMT

On a related note, HP was kind enough to show me how to get AUTH_MAXTRIES to work for secure shell (ssh) without removing "UsePAM yes" from the sshd_config file. You need to add "ignore_unknown" to the "sshd auth required" entry for libpam_ldap.so.1 entry in /etc/pam.conf. This is documented in pam_ldap(5).

Re: AUTH_MAXTRIES question

Main Group — Mon, 13 Sep 2010 17:31:54 GMT

Never mind, I figured it out. Run:

/usr/sbin/userdbget -i -a auth_failures

then look for accounts where the value returned in "auth_failures=value" exceed the AUTH_MAXTRIES value. Unlock an account with:

/usr/sbin/userdbset -d -u account