System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

trusted system -id getting locked.

MSwift
Regular Advisor

trusted system -id getting locked.

One ID is getting locked out daily. here is the enrty from /tcb/files/auth/d

dmqmgr:u_name=dmqmgr:u_id#110:\
:u_pwd=FKQtgBwecL9.I:\
:u_auditid#61:\
:u_auditflag#1:\
:u_minchg#0:u_exp#0:u_life#0:u_succhg#1256228932:\
:u_llogin#0:u_pw_expire_warning#0:u_pswduser=dmqmgr:u_suclog#1256229060:
\
:u_suctty=pts/tt:u_unsuclog#1256228639:u_lock@:chkent:

is there anything wrong with this setup, not sure why i have to reset it every morning! (the user says they are not locking themselves out but getprpw does not say 00000000. Please help

Thanks

Mike.

19 REPLIES
DogBytes
Valued Contributor

Re: trusted system -id getting locked.

My first thought it check your version of secure shell. Getting the latest version at
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA
may fix the issue.
Robert Salter
Respected Contributor

Re: trusted system -id getting locked.

What does the getprpw say?
Time to smoke and joke
MSwift
Regular Advisor

Re: trusted system -id getting locked.

# /usr/lbin/getprpw dmqmgr
uid=117, bootpw=NO, audid=61, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, sp
wchg=Thu Oct 22 12:28:52 2009, upwchg=-1, acctexp=-1, llog=0, expwarn=0, usrpick
=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT,
timeod=-1, slogint=Thu Oct 22 13:18:24 2009, ulogint=Thu Oct 22 15:26:33 2009, s
loginy=pts/tt, culogin=6, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0001000
Patrick Wallek
Honored Contributor

Re: trusted system -id getting locked.

>>lockout=0001000

That means too many login attempts with the incorrect password. So someone/something is trying to log in with the incorrect password too many times.

Try looking at 'lastb -R dmqmgr' and see what it returns. It will return the bad logins, with the IP/hostname of the system, for this use.

The meaning of each position of the lockout string (from the getprpw man page), from left to right is:

lockout - returns the reason for a lockout in a "bit" valued string, where 0 = condition not present, 1 is present. The position, left to right represents:

1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *
MSwift
Regular Advisor

Re: trusted system -id getting locked.

yes i understand that part!! But the problem is they are currently logged in and did not make an unsucessful attempt. I have also pasted their /tcb/files/auth/d

dmqmgr:u_name=dmqmgr:u_id#110:\
:u_pwd=FKQtgBwecL9.I:\
:u_auditid#61:\
:u_auditflag#1:\
:u_minchg#0:u_exp#0:u_life#0:u_succhg#1256228932:\
:u_llogin#0:u_pw_expire_warning#0:u_pswduser=dmqmgr:u_suclog#1256229060:
\
:u_suctty=pts/tt:u_unsuclog#1256228639:u_lock@:chkent:

is their anything wrong with this?

Also when i do lastb -R dmqmgr i get this

Memory fault(coredump)

Thanks

Mike
Raj D.
Honored Contributor

Re: trusted system -id getting locked.

Mike,
By defat maximum login retry is 3 before it locksout , if you want to set it to 10 you can set umaxlntr to 10 or a similar value, so that it will not lockout frequently ,


To Change the umaxlntr value,

# cd /usr/lbin/; ./modprpw -m umaxlntr=10 operuser #[ where operuser is the usernme ]
# ./getprpw operuser



Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
Patrick Wallek
Honored Contributor

Re: trusted system -id getting locked.

>>did not make an unsucessful attempt.

Something made too many unsuccessful attempts.

The set up looks good. There is nothing in the setup that would cause it to be disabled with a '1' in the 4th position.

I also just noticed this in your getprpw output:

ulogint=Thu Oct 22 15:26:33 2009

Someone tried, unsuccessfully, to log in to this account this afternoon at 15:26:33. So, someone, somewhere IS trying to login.
MSwift
Regular Advisor

Re: trusted system -id getting locked.

they are still logged in, that is why i am amazed at the counter. something is wrong!!!

Mike
Patrick Wallek
Honored Contributor

Re: trusted system -id getting locked.

>>they are still logged in,

That is irrelevant!!!!

>>that is why i am amazed at the counter.
>>something is wrong!!!

No, NOTHING is wrong! As I said, someone somewhere IS TRYING login with this ID. That's why it keeps getting disabled.

As I said above, your getprpw output shows 'ulogint' time of this afternoon. ulogint mean "unsuccessful login time".

With regard to your "lastb" problem, have a look at this thread:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=5605

If you can get this fixed, then you should be able to tell who/where the bad login is coming from.
Johnson Punniyalingam
Honored Contributor

Re: trusted system -id getting locked.

>>they are still logged in, that is why i am amazed at the counter. something is wrong!!! <<<

Hi Mike,

Do you have any script and application hardcode the password for user account ? will also cause this problem.

Sharing same user id among the group of people will cause this problem.

last -R --> to check from destination the user account has been login

also for while you can change unsucessfull login counts 0.

Hope This Helps,

Rgds,
Johnson

Problems are common to all, but attitude makes the difference
Bill Hassell
Honored Contributor

Re: trusted system -id getting locked.

The password is checked only once during login. It does not matter that the user logged in successfully, authentication will occur when a user *OR* a process like ftp *OR* a script *OR* another user tries to login. Failure can occur while the user is still logged in. The account will be locked out for future logins but the current user session is not affected. Thyere is nothing of interest in the /tcb file...the system is behaving correctly. You have to locate the user or process that is trying to login with the wrong password.

Run the command: lastb -R dmqmgr

These are the failures including time+date. Look at syslog and authlog and ftpd.log.


Bill Hassell, sysadmin
MSwift
Regular Advisor

Re: trusted system -id getting locked.

We reset this application account yesterday and again this am the account is locked, here is the getprpw

/usr/lbin/getprpw dmqmgr
uid=110, bootpw=NO, audid=21498, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0,
spwchg=Wed Oct 21 09:26:14 2009, upwchg=-1, acctexp=-1, llog=0, expwarn=0, usrp
ick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=NO, admnum=-1, syschpw=DFT, sysltpw=DFT
, timeod=-1, slogint=Thu Oct 22 20:04:40 2009, ulogint=Fri Oct 23 07:30:46 2009,
sloginy=pts/td, culogin=25, uloginy=pts/tc, umaxlntr=-1, alock=NO, lockout=0001
000

strangely lastb does not report bad login
(but lastb works for other id's)
lastb -R dmqmgr

btmp begins Mon Oct 20 05:30

Please help!!!!

Thanks

Mike.


MSwift
Regular Advisor

Re: trusted system -id getting locked.

i did not find any authlog on this box, here is the syslog.conf

mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
#*.alert /dev/console
*.alert root
*.emerg *
local7.debug /var/adm/syslog/tcp.log

*.notice;mail,auth,security,syslog,lpr,news,uucp,cron.none /dev/console
mail,auth,security,syslog,lpr,news,uucp,cron.alert /dev/console

Thanks

Mike
Robert Salter
Respected Contributor

Re: trusted system -id getting locked.

You didn't see any failed attempts in the /var/adm/syslog/syslog.log file? For ftp, ssh, login, etc.

Does this user have any scripts running that would try to access this server? maybe they forgot to change the password in them. Of course having a hardcoded password is a no no, but then there are those folks who ...

You could try changing his ID on the server. Doesn't find the problem but gets the user back in business.
Time to smoke and joke
MSwift
Regular Advisor

Re: trusted system -id getting locked.

There are no scripts running!

I have verified that

Mike
Viveki
Trusted Contributor

Re: trusted system -id getting locked.

Please try the below command and check

#/usr/lbin/modprpw -m lftm=0,exptm=0,mintm=0,acctexp=-1
MSwift
Regular Advisor

Re: trusted system -id getting locked.

What would this do? and why do u think this would help?

Mike
MSwift
Regular Advisor

Re: trusted system -id getting locked.

I just noticed the /etc/default/security says MIN_PASSWORD_LENGTH=6. this id has a password of 3 characters (appln id). would that be an issue? will it get locked because of that? even if it gets localed then how can it work with the same passwd when i unlock it?

Mike
Patrick Wallek
Honored Contributor

Re: trusted system -id getting locked.

>>will it get locked because of that?

No.

>>even if it gets localed then how can it work with the same passwd when i unlock it?

You're just unlocking the account. You're not changing the password.

>>#/usr/lbin/modprpw -m lftm=0,exptm=0,mintm=0,acctexp=-1


In a nutshell, the above is setting the account lifetime (lftm), password expiration time (exptm) minimum time between password (mintm) and account expiration time (acctexp) to null values so they are not enforced.

I really don't think this would help you as it isn't touching anything that would make much of a difference in this case. Have a read of the 'getprpw' and/or 'modprpw' man pages for a better understanding.