HPE Community
Operating System - OpenVMS
1752815 Members
5877 Online
108789 Solutions
New Discussion юеВ

Can I specify some user whom never been disable by login fail?

 
nos.
Occasional Contributor

тАО07-23-2003 02:17 AM

тАО07-23-2003 02:17 AM

Can I specify some user whom never been disable by login fail?

My system set LGI_RETRY_LIM to 3, it means that any users on my system can try login not over 3 times or user must be disable. Am i right?

Can i specify some user can try any time and it never been disable by login fail?
0 Kudos
Reply
3 REPLIES 3
Todd Maurer
Advisor

тАО07-23-2003 05:47 AM

тАО07-23-2003 05:47 AM

Re: Can I specify some user whom never been disable by login fail?

Sorry but I'm not sure exactly waht you are trying to do. I understand that your question is regarding OpenVMS' break-in evasion.

There are several SYSGEN parameters that control how break-in evasion works. They are:
LGI_BRK_TERM
LGI_BRK_DISUSER
LGI_BRK_LIM
LGI_BRK_TMO
LGI_HID_TIM

If you enter the command below at the SYSGEN> prompt, it will discribe all of these.

SYSGEN> HELP SYS LGI

A USERNAME is only DISUSERed if LGI_BRK_DISUSER is set to 1 .AND. the USERNAME is entered when break-in evasion is in effect.

LGI_RETRY_LIM actually has nothing to do with break-in evasion and disusering. LGI_RETRY_LIM is the number of attempts of USERNAME/PASSWORD that can be made before carrier is lower or a network link is broken. I think you may be confusing LGI_RETRY_LIM and LGI_BRK_LIM.

Todd
OpenVMS is here to stay
0 Kudos
Reply
Richard W Hunt
Valued Contributor

тАО07-23-2003 09:36 AM

тАО07-23-2003 09:36 AM

Re: Can I specify some user whom never been disable by login fail?

If I understand your first question, the answer is NO. The SYSGEN parameter does not support an exclusion by username. All users are treated equally for this purpose. So you cannot say, "This user will never be disabled by repeated login failure."

The second question is also NO, though in this case it is a qualified NO. Another parameter called LGI_BRK_DISUSER separately determines whether the account is DISUSER'd after being declared as an intruder. So I guess the exact answer is "It depends." But if you had set LGI_BRK_DISUSER to 1, then the user would, indeed, be disabled. And the LGI_RETRY_LIM of 3 does mean that 3 failures can trigger the evasion. Of course, don't forget that there is also a timeout. It has to be LGI_RETRY_LIM failures in LGI_BRK_TMO seconds to enable the evasion mode.
Sr. Systems Janitor
0 Kudos
Reply
Mike Naime
Honored Contributor

тАО08-15-2003 11:23 PM

тАО08-15-2003 11:23 PM

Re: Can I specify some user whom never been disable by login fail?


VMS tracks the source of the intrusion. So, if you have several fat-finger tries from the same IP address, aLL users from that source are locked out once that the limit is reached.

In a networked environment where multiple users are coming from a NAT'ed address behind a firewall, from your systems standpoint, they all appear to be coming from the same IP address, But using different ports.

Example. Say your system is in St. Louis. You have offices on the east and west coast where users are trying to access your system. Once that the intrusion record is set for that IP address, all new logon access from that IP/remote site is shut off until the intrusion is cleared, or times out.
VMS SAN mechanic
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.