topic Re: Restricting Wrong password retry attempts in Operating System - HP-UX

Restricting Wrong password retry attempts

Abdul Salam H S_1 — Sun, 21 Apr 2002 04:16:48 GMT

Hi,

I have an HP9000 Server.I need to implement password security policy in such a way that, if a user enters his password wrongly, say 3 times, the account should get locked, which only the root user should be able to unlock.
Is it possible by converting my system to Trusted system? Is this option coming by default once you convert to Trusted system?

Thanks in Adv

Abdul Salam

Re: Restricting Wrong password retry attempts

S.K. Chan — Sun, 21 Apr 2002 09:56:47 GMT

Yes, you're able to do this in a trusted system.You just need to modify the policy of that user account. Using SAM is the easiest way.

a)In SAM go to "Accounts for Users & Groups"
b)Choose "Users" and select the user account from the list.
c)Goto to the "Action" menu and select "Modify Security Policies".
d)Select "General User Account Policies"
e)Change to the number of login attempts allowed from "Unsuccessful Login Tries Allowed".You have to choose "Custom" and then specify the number of attempts that you want to assign to that account (in your case it would be 3).

Re: Restricting Wrong password retry attempts

Amruth — Sun, 21 Apr 2002 10:57:54 GMT

Hi,

You can enable these options by changing the system to a Trusted system.

AR

Re: Restricting Wrong password retry attempts

T. M. Louah — Sun, 21 Apr 2002 12:15:26 GMT

HOW TO CHECK IF SYSTEM TRUSTED :
root:> /usr/lbin/getprpw root
System is not trusted.
The above shown when system is not! a different display shown if system has been Trusted.
The system is not trusted by default, here how to do it from command line:
# /usr/lbin/tsconvert ???c to convert trust system from command line

# /usr/lbin/tsconvert ???r to unconvert untrust system from command line

.: each user get file created under --> # ll /tcb/files/auth
......
drwxrwx--- 2 root sys 96 Apr 19 17:44 A
drwxrwx--- 2 root sys 96 Apr 19 17:44 B
drwxrwx--- 2 root sys 96 Apr 19 17:44 C
drwxrwx--- 2 root sys 96 Apr 19 17:44 D
drwxrwx--- 2 root sys 96 Apr 19 17:44 E
........
for a user called jojo it is under
drwxrwx--- 2 root sys 96 Apr 19 17:44 j
-rw-rw-r-- 1 root root 113 Apr 19 17:44 /tcb/files/auth/j/jojo

Remember PAP (a.k.a Pliz assign Points!)

Re: Restricting Wrong password retry attempts

Niraj Kumar Verma — Mon, 22 Apr 2002 02:57:47 GMT

Here is some tips to make the
system security a bit better.even theo your system is not a trusted system.

1. Password
==============================

Put hese entries to /etc/default/login
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
MIN_PASSWORD_LENGTH=6
NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=1

2.Tighten global privileges
============================

By default the CHOWN privilege is a global privilege and applies to all groups: 
$ getprivgrp
global privileges: CHOWN
Non-privileged users really don't need to be able to chown files to other users; in Linux for example, only the super-user may change the owner of a file. /sbin/init.d/set_prvgrp is executed by default at system startup and executes the command /usr/sbin/setprivgrp -f /etc/privgroup if /etc/privgroup exists. We can create a configuration file that will delete all privileges for all groups (see setprivgrp(1m)): 
# getprivgrp
global privileges: CHOWN
# echo -n >/etc/privgroup
# chmod 400 /etc/privgroup
# /sbin/init.d/set_prvgrp start
# getprivgrp
global privileges:

Re: Restricting Wrong password retry attempts

Varghese Mathew — Mon, 22 Apr 2002 04:42:02 GMT

Salam,

Please refer to the below mentioned link. Its very useful.

http://www.unixadm.net/howto/etc-security.html.

Cheers !!!,
Varghese Mathew