topic Re: Locking Out Users After Failed Logins--Not A Trusted System in Operating System - HP-UX

Locking Out Users After Failed Logins--Not A Trusted System

Dave Thompson_7 — Wed, 18 Apr 2007 12:58:52 GMT

Is there a way to lock out users after x number of failed login attempts? We do not have a trusted system and don't want to convert because of some potential application problems. I've looked through threads and responses, but can't find the answer I really need (for the *@#$%! auditor).

Re: Locking Out Users After Failed Logins--Not A Trusted System

Patrick Wallek — Wed, 18 Apr 2007 13:07:58 GMT

Not possible without converting to a trusted system, as far as I know.

Re: Locking Out Users After Failed Logins--Not A Trusted System

A. Clay Stephenson — Wed, 18 Apr 2007 13:25:12 GMT

In order to do this you would have to write custom login programs. That is the way it was done before the days of shadowsed passwd and/or trusted systems.

Re: Locking Out Users After Failed Logins--Not A Trusted System

Marco A. — Wed, 18 Apr 2007 13:28:25 GMT

Actually the only way to achieve that is by using the command "tsconvert" and convert your system in "trusted" , the normal env, using the /etc/passwd, or using shadow passwords (/etc/shadow) has not way to control that kind of things, with Trusted system you can control all those things.

Admin guide at. :
http://docs.hp.com/en/B2355-90121/B2355-90121.pdf

Regards

Re: Locking Out Users After Failed Logins--Not A Trusted System

Patrick Wallek — Wed, 18 Apr 2007 13:29:34 GMT

You mean you can't find the answer you really want.

If you are on HP-UX 11.11 you could take a look at Shadow passwords:
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

But if your app won't support trusted, then the chances are probably slim that it will support shadow.

You must face the fact that the base authentication does not support locking out users after X invalid logins.

Re: Locking Out Users After Failed Logins--Not A Trusted System

A. Clay Stephenson — Wed, 18 Apr 2007 13:35:35 GMT

Have you actually tried a trusted system? The trusted mechhanism has been around so long on HP-UX that it is a very rare application that has problems. The login/user/group functions that any application should be using make this invisible to the application itself.

Even if you do create custom login programs which can lockout an account, you still have an almost unsurmountable obstacle to overcome in that the password hashes are visible and thus vulnerable to a guessing attack.

Re: Locking Out Users After Failed Logins--Not A Trusted System

Dave Thompson_7 — Wed, 18 Apr 2007 13:41:04 GMT

Thanks for all the infomation.

Just so you'll know, our application software has been ported from TI-990, TI-1500, & HP-9000 to the Itanium. I don't know what problems may be encountered with some of our ftp scripts and file permissions. And, yes, the shadow password file has been implemented with no problems (so far).

I have contacted our software vendor to see if there are any hidden problems that I haven't thought of (or imagined).

Thanks again.

Re: Locking Out Users After Failed Logins--Not A Trusted System

A. Clay Stephenson — Wed, 18 Apr 2007 13:50:45 GMT

Any ftp client software should be complete insulated from the underlying user verification functions -- so those should not be a cause for concern. The same holds true for file permissions.

Re: Locking Out Users After Failed Logins--Not A Trusted System

Dave Thompson_7 — Thu, 19 Apr 2007 07:16:12 GMT

Thanks for all the good info. After consulting with our software vendor, it looks like we should be able to go to a trusted system.

But, after some more research, it seems like we could use SMSE to do this. I know it's a stupid question, but can we really use SMSE running B.11.23 & is there a down side?

Thanks.

Re: Locking Out Users After Failed Logins--Not A Trusted System

Bill Hassell — Tue, 24 Apr 2007 08:30:12 GMT

> But, after some more research, it seems like we could use SMSE to do this. I know it's a stupid question, but can we really use SMSE running B.11.23 & is there a down side?

Not a stupid question at all. Standard Mode Security Extensions (SMSE) is brand new with 11.23:

docs.hp.com/en/5991-8678/ch06s01.html

And you'll want to look at this:

docs.hp.com/en/5991-1125/ch01s03.html

Since SMSE is relatively new (and many poorly written programs still can't handle a Trusted system even after 10 years...), the only way to know about problems is to try it -- and at the same time, ask the vendor. If the vendor never heard about SMSE, I would be suspicious about success.

SMSE was created to bridge the gap between barebones unTrusted systems and a full TCB (Trusted Computing Base) by providing the elements of a Shadow Password system, yet (by using PAM and a more compatible security database) providing a much more secure environment.

Re: Locking Out Users After Failed Logins--Not A Trusted System

Dave Thompson_7 — Tue, 24 Apr 2007 12:32:50 GMT

Looks like SMSE will do exactly what I need to have done. Thanks to everyone.