HPE Community
Operating System - HP-UX
1753829 Members
8926 Online
108806 Solutions
New Discussion юеВ

Re: disable lockout of root

 
SOLVED
Go to solution
Tim Yeung_1
Frequent Advisor

тАО03-05-2009 10:54 AM

тАО03-05-2009 10:54 AM

disable lockout of root

I enabled trusted HPUX 11.31 by entering tsconvert. Users, including root, are now locked out after 3 login failures. To unlock a user, I have to use modprpw -k.

I would like to lock out user accounts for only 15 minutes. After 15 minutes, the user can log in again. How can this be done?

Thanks

Tim
0 Kudos
Reply
6 REPLIES 6
Patrick Wallek
Honored Contributor

тАО03-05-2009 11:07 AM

тАО03-05-2009 11:07 AM

Solution

Re: disable lockout of root

It can't. This feature is not available.
Reply
Walt Watson
Advisor

тАО03-05-2009 03:46 PM

тАО03-05-2009 03:46 PM

Re: disable lockout of root

You don't really want to do this. It would mean that you'd allow 4 crack tries per hour.
0 Kudos
Reply
Tim Yeung_1
Frequent Advisor

тАО03-05-2009 03:55 PM

тАО03-05-2009 03:55 PM

Re: disable lockout of root

In trusted mode, if root is locked out, and I boot to single user mode, will I be able to log in as root?

The d_boot_authenticate option is enabled, that's why root password is required even in single user mode.

0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО03-05-2009 06:55 PM

тАО03-05-2009 06:55 PM

Re: disable lockout of root

It sounds like too many users are attempting to login as root, or worse, a hacker is trying to break in. A root login should be used very, very seldom. You can eliminate the root lockouts by preventing any logins by root except for the console. Just type this command (as root):

echo console > /etc/securetty

Now only the console will allow a direct root login. You can always use su - to run the occasional superuser command.

You can change the retry count from the default 3 to something that matches your environment, perhaps 5 or 6 retries. Use SAM to set the global security policies.


Bill Hassell, sysadmin
0 Kudos
Reply
Tom Henning
Trusted Contributor

тАО03-06-2009 04:26 AM

тАО03-06-2009 04:26 AM

Re: disable lockout of root

If the root user is locked out, console login is always allowed. You can *always* use the console to login as root, even when the root account has been locked out due to too many bad login attempts.
What is it that possesses otherwise sane individuals to change something just because it has not been changed in a while?
Reply
rariasn
Honored Contributor

тАО03-06-2009 04:49 AM

тАО03-06-2009 04:49 AM

Re: disable lockout of root

Hi,

set -u
PATH=/usr/bin:/usr/sbin:/usr/lbin
NOTTRUSTED=/sbin/true
LISTA_CORREO="root"
HOST=$(uname -n)

if [ -x /usr/lbin/modprpw ]
then
modprpw 1> /dev/null 2>&1
if [ $? -eq 2 ]
then
NOTTRUSTED=/sbin/false
fi
fi

if $NOTTRUSTED
then
print "\n This system is not a Trusted System"
exit 1
fi

REASON[1]="past password lifetime"
REASON[2]="past last login time"
REASON[3]="past absolute account lifetime"
REASON[4]="exceeding unsuccessful login attempts"
REASON[5]="password required and a null password"
REASON[6]="admin lock"
REASON[7]="password is a *"

FECHA=`date '+%d/%m/%Y %HH:%MM'`

for USER in $(listusers | awk '{print $1}')
do
LOCKOUT=$(getprpw -r -m lockout $USER)
ERR=$?
if [ $ERR != 0 ]
then
print "getprpw failed, error = $ERR"
exit $ERR
fi
# Since multiple reasons may exist in LOCKOUT, process
# each bit position separately

if [ $LOCKOUT = "0001000" ]
then
/opt/OV/bin/OpC/opcmsg a=Sistemas o=unlock s=major msg_g=Security msg_t="Desbloqueando usuario: $USER"
echo ""|mailx -m -s "Desbloqueando usuario: $USER - en: $HOST" $LISTA_CORREO
/usr/lbin/modprpw -l -k $USER
echo "$FECHA -- $USER" >> /var/adm/syslog/unlock_user


Use cron to submit.

rgs,
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.