HPE Community
Operating System - HP-UX
1819841 Members
2813 Online
109607 Solutions
New Discussion юеВ

Re: Account lock-out on invalid attempts in NIS.

 
Sameer S
Advisor

тАО09-02-2002 02:24 AM

тАО09-02-2002 02:24 AM

Account lock-out on invalid attempts in NIS.

Hi,
I have implemened NIS using HPUX 10.20. By modifying the /etc/passwd file, I am able to implement password aging, force change etc. But I want to extend the security to:
1. Account lockout on x (say 3) number of wrong logout attempts.
2. User should not be able to use last x passwords.
Has somebody implemented the same in NIS environment using HPUX ? Any help would be really appreciated.
Thanks,
Sameer
Let us grow our knowledge by sharing ...
0 Kudos
Reply
4 REPLIES 4
harry d brown jr
Honored Contributor

тАО09-02-2002 03:23 AM

тАО09-02-2002 03:23 AM

Re: Account lock-out on invalid attempts in NIS.


A lot of work for an OS that is obsolete in less than 12 months.

(1) see #2
(2) Password aging, as described in passwd(1) and passwd(4), is not implemented in the Network Information System password database. man yppasswd.

Consider ldap:

http://software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J4269AA


live free or die
harry
Live Free or Die
0 Kudos
Reply
harry d brown jr
Honored Contributor

тАО09-02-2002 04:33 AM

тАО09-02-2002 04:33 AM

Re: Account lock-out on invalid attempts in NIS.


Sorry, I totally missed your questions - I should have waited until I finished my first pot of coffee.

Now I get it.

Try this security link:
http://www.padl.com/hpux/

live free or die
harry
Live Free or Die
0 Kudos
Reply
Sameer S
Advisor

тАО09-02-2002 08:20 PM

тАО09-02-2002 08:20 PM

Re: Account lock-out on invalid attempts in NIS.

Hi guys, what I am looking out for some scripts or modifications that can be done to the NIS maps to achieve password aging and account locking after unsuccessful attempts. I have been able to achieve aging feauture with some extra fields added to the /etc/passwd NIS map, but locking seems difficult. Has some body tried it ???
Let us grow our knowledge by sharing ...
0 Kudos
Reply
doug hosking
Esteemed Contributor

тАО09-02-2002 10:18 PM

тАО09-02-2002 10:18 PM

Re: Account lock-out on invalid attempts in NIS.

Unfortunately, this is a good example of the problem with industry standards that don't plan for future expansion. One of the big shortcomings of NIS is that it doesn't provide an easy means to represent additional per-user attributes like this. Even if HP supported the extra fields, you'd have trouble if your NIS server wasn't from HP, because the server wouldn't know about the extra attributes, and you presumably want to store the info on the server, not on each client.

HP-UX 10.0 and later provides the lockout feature you want, and 11.0 and later (with patches) provides the history feature you want, but these require running in trusted mode, which is not compatible with NIS.

Remember that anything you do to try to implement this will require changes to many commands - login, rlogin, telnet, ftp, su, dtlogin, passwd, ... Otherwise you won't reliably get the features you are looking for.

10.20 provides only the beginnings of PAM support, making the task even harder. (On 11.0 and later, you could write a custom PAM module to do at least some of what you want.)

I'm afraid there really isn't a good solution for this if you require using NIS on 10.20.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.