cancel
Showing results for 
Search instead for 
Did you mean: 

Locking out user accounts

SOLVED
Go to solution
Sammie K
Occasional Visitor

Locking out user accounts

This has probably been posted somewhere, but I haven't been able to find the answer and I'm running out of time. I inherited a Tru64 system and I am not very familiar with the OS. I have an audit coming up and I need to be able to lock accounts after 5 tries or explain to the auditors why I can't. I am running 5.1B in enhanced mode.

My system sits in a computer lab and my one and only user accesses the system either through eXceed, telnet or ftp. I have setup a test account for myself and set u_maxtries#4 and tried logging in at the console. Regardless of how many bad passwords I enter, I cannot lock the account out and when I do log in, it shows my last unsuccessful login as Never. Do I have something else set that is overriding the u_maxtries? Also, how does it actually work? I mean, does it jus work at the console? what about telnet, rlogin, etc.?

On another note, my /etc/auth/system/default has d_skip_fail_login_log and d_skip_success_login_log, should I change this to get better logging?

I appreciate any help I can get. This is all very new to me and I'm having trouble wrapping my brain around it.
2 REPLIES
Ivan Ferreira
Honored Contributor

Re: Locking out user accounts

Configure the u_maxtries in /etc/auth/system/default, and check with edauth -g if the user account overrides this value.

Use the attached userinfo.pl perl script to get user information, you must "localize" the script.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ann Majeske
Honored Contributor
Solution

Re: Locking out user accounts

The best places to look for information on this are the Security manual and the man pages for prpasswd, default, edauth, and authcap.

With d_skip_fail_login_log set the failed logins aren't counted in u_numunsuclog, so the lock out due to hitting u_maxtries won't happen. You can change d_skip_fail_login_log using the dxaccounts gui or with the edauth tool. If you're changing it with the edauth tool change it to d_skip_fail_login_log@, this disables the boolean field.

Here's the description of the fields from the prpasswd man page and the Security Administration guide:

u_numunsuclog
This field contains a number indicating the number of unsuccessful login attempts to the account and is reset when a successful login to the account occurs. If a login is attempted during the time period from u_unsuclog to u_unsuclog plus u_unlock, andu_numunsuclog is not less than u_maxtries, the login is refused. (This check is suppressed if the u_maxtries field is set to zero.) The system-wide default d_skip_fail_login_log controls whether or not this field is updated at each login failure. This field is ignored if it is set in a template or in the default database.

u_maxtries
The number in this field specifies the maximum number of consecutive unsuccessful login attempts to the account that are permitted until the account is disabled. Setting this field to 0 prevents the account from being disabled because of retry failures. In this case, u_numunsuclog is incremented, but not checked.

u_flogins
This field is the displayable count of the number of unsuccessful login attempts. The system-wide default d_skip_fail_login_log controls whether or not this field is updated at each login failure. This field is ignored if it is set in a template or in the default database.

Failed login attempts to user accounts are normally recorded. To disable this logging, which also disables breakin detection and evasion system wide, set the d_skip_fail_login_log Boolean field as follows:

:d_skip_fail_login_log:\