Re: AUTH_MAXTRIES question

Main Group · ‎09-09-2010

I have a concern that setting AUTH_MAXTRIES to a non-zero value will result in an escalation of user calls due to locked account. (There's also a worry that implementing this could allow a type of denial of service attack.)

What I would like to do is satisfy the spirit of the configuration setting, while not requiring SysAdmin intervention. To do that, I'd like for locked accounts to be automatically released after a relatively brief period of time (enough to deter an attacker, but not enough to bring work to a halt). However, it doesn't appear that the userdbget command provides the type of information I'd need to implement a cron job to unlock lockouts.

Has anybody scripted a method for implementing this? Do I need to delve into the /var/adm/userdb entries? Thank you.

Main Group · ‎09-13-2010

On a related note, HP was kind enough to show me how to get AUTH_MAXTRIES to work for secure shell (ssh) without removing "UsePAM yes" from the sshd_config file. You need to add "ignore_unknown" to the "sshd auth required" entry for libpam_ldap.so.1 entry in /etc/pam.conf. This is documented in pam_ldap(5).

Main Group · ‎09-13-2010

Never mind, I figured it out. Run:

/usr/sbin/userdbget -i -a auth_failures

then look for accounts where the value returned in "auth_failures=value" exceed the AUTH_MAXTRIES value. Unlock an account with:

/usr/sbin/userdbset -d -u account

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: AUTH_MAXTRIES question

AUTH_MAXTRIES question

Re: AUTH_MAXTRIES question

Re: AUTH_MAXTRIES question