HPE Community
Operating System - HP-UX
1833059 Members
2827 Online
110049 Solutions
New Discussion

Account lockouts and warning (lack of warning)

 
SOLVED
Go to solution
rmueller58
Valued Contributor

‎08-10-2005 03:02 AM

‎08-10-2005 03:02 AM

Account lockouts and warning (lack of warning)

All,

I've ran into a couple things of late where accounts get locked for no apparent reason, lockout status value is 0000000, alock is no,

We have one set of processes that uses "rlogin" and another set the uses ssh(2). It consistently happens across my larger clients. my largest client has probably 300 accounts and probably field 10-20 account calls a week from them alone. They are using the rlogin, one of our other clients has probably 5-10 account resets per week. exptm value on some is set to 180, we aren't anywhere near expiry time.

Any thoughts at what I can look at?
0 Kudos
16 REPLIES 16
Mel Burslan
Honored Contributor

‎08-10-2005 03:10 AM

‎08-10-2005 03:10 AM

Solution

Re: Account lockouts and warning (lack of warning)

if the lockout status is 0000000 it means that the account is active and the user can not just plain remember their darn passwords. If you have changed the password policies to force users to make them more cryptic, i.e., user must use at least 1 or two numbers, a special character, a capital letter and a lower case letter, etc., this is an expected fallout from that decision. Sometimes I see some shops go extremely hasty with their password selection criteria and most users call to have their passwords reset much more frequently than they did in the past.

Just a thought.
________________________________
UNIX because I majored in cryptology...
0 Kudos
rmueller58
Valued Contributor

‎08-10-2005 03:14 AM

‎08-10-2005 03:14 AM

Re: Account lockouts and warning (lack of warning)

Mel,

I agree, i think 90% of the calls on account lock is numlock or caplock stupidity. I got reamed by one of our clients for not getting to the root of the problem. helpdesk call #1, Stupid User.

That being said does SSH and RLOGIN use different auth files?
0 Kudos
DCE
Honored Contributor

‎08-10-2005 03:15 AM

‎08-10-2005 03:15 AM

Re: Account lockouts and warning (lack of warning)

Some people have been known to automate their logins and/or include them in batch files. If a batch file is repeatedly run because it cannot login (because of a mismatched password for example, it could lead to the problem you are describing.

You can look in the syslog for login errors to see if there is any pattern
0 Kudos
rmueller58
Valued Contributor

‎08-10-2005 03:16 AM

‎08-10-2005 03:16 AM

Re: Account lockouts and warning (lack of warning)

Our "selection criterion" is fairly simple, requires combo of alpha/numeric 6 character min.
0 Kudos
rmueller58
Valued Contributor

‎08-10-2005 03:17 AM

‎08-10-2005 03:17 AM

Re: Account lockouts and warning (lack of warning)

DCE these users are that bright! We don't have them do that. The client we use does not save passwords.
0 Kudos
DCE
Honored Contributor

‎08-10-2005 03:22 AM

‎08-10-2005 03:22 AM

Re: Account lockouts and warning (lack of warning)

Wow - sounds like you have a bad case of defective user-itis on your hands. Does your security policy allow you to disable the account locked option, or at least let you increase it to a larger number - say 1000?
0 Kudos
Mel Burslan
Honored Contributor

‎08-10-2005 03:27 AM

‎08-10-2005 03:27 AM

Re: Account lockouts and warning (lack of warning)

from the lockout status of seven zeros, I am under the impression that you are talking about a trusted system and no, authorization of password matching on systems, regardless trusted or untrusted are made against a user's password contained at the same place (passwd or shadow passwd file for untrusted and under tcb/files/auth/blah-blah for the trusted systems)

having said that, using ssh you can chose to use challenge/passphrase method to be used for your authentication and bypass the password checking entirely. Basically you generate a pair of private and public keys. Send your public key to the server (under $HOME/.ssh for open ssh implementations) and keep the private key on your workstation. at the time of creation you assign a passphrase to your private key so that when you are absent at the keyboard, people can not have a freeride to your systems. But since this passphrase is under your control, you can make it as easy or as hard as your heart desires. This may explain why you are getting less complaints from ssh users, if this is the case.

Hope this is as clear as mud by now :) Cheers...
________________________________
UNIX because I majored in cryptology...
0 Kudos
rmueller58
Valued Contributor

‎08-10-2005 03:27 AM

‎08-10-2005 03:27 AM

Re: Account lockouts and warning (lack of warning)

I am probably going to run through /usr/lbin/modprpw values as follows:

exptm=-1
lftm=-1
umaxIntr=-1

0 Kudos
rmueller58
Valued Contributor

‎08-10-2005 03:29 AM

‎08-10-2005 03:29 AM

Re: Account lockouts and warning (lack of warning)

Mel,
I will look at the challenge again..

Is that in /etc/ssh2/sshd2_config?
0 Kudos
Gavin Clarke
Trusted Contributor

‎08-10-2005 03:30 AM

‎08-10-2005 03:30 AM

Re: Account lockouts and warning (lack of warning)

In my opinion ssh and rlogin use the same auth files.

The easy way to test is to lock an account out with ssh say, then try rlogin.

I'm sure that they've got to be the same.

As for helping users to remember/type their password, hmmmm not sure, putty allows the delete key to actually delete, which I find helps me a bit sometimes.
0 Kudos
Mel Burslan
Honored Contributor

‎08-10-2005 03:37 AM

‎08-10-2005 03:37 AM

Re: Account lockouts and warning (lack of warning)

Rex,

Actually if sshd is running on your server, challenge/passphrase authentication is in effect. I am not sure if you can disable it or if you really want to disable it either. It is one of the beauties of ssh. You can type your life story as a passphrase and use anything you like instead of a minimum of 6 characters of cryptic password you will forget 3 minutes after changing it.

typical password : C3!dfE

sapmle passphrase: My dog's name is Casey and she loves to chew rawhide

Yes you can have spaces, special characters or anything your heart desires in your passphrase and tell me which one is more secure and easier to remember (unless a hacker has an insight to your soul)

________________________________
UNIX because I majored in cryptology...
0 Kudos
rmueller58
Valued Contributor

‎08-10-2005 03:43 AM

‎08-10-2005 03:43 AM

Re: Account lockouts and warning (lack of warning)

Mel,

Sounds like my Yellow Lab.

I am going modify my alock check script and pull all the parameters on those school districts in question. I have two districts that represent 70% of our users. These are my problem "Children". Old blue hairs that do bookkeeping. :D

0 Kudos
Bill Hassell
Honored Contributor

‎08-10-2005 02:18 PM

‎08-10-2005 02:18 PM

Re: Account lockouts and warning (lack of warning)

Are the accounts actually locked? You might use the attached script to decipher all the different conditions for a user account. It is has an extensive decode of the user's status.


Bill Hassell, sysadmin
0 Kudos
rmueller58
Valued Contributor

‎08-11-2005 01:03 AM

‎08-11-2005 01:03 AM

Re: Account lockouts and warning (lack of warning)

Bill I was running through my email archives and did come across that or something similar..


I wrote a script that resets certain values in the auth files based on the users "home school district" (ie the "read" value $dist)

# cat chgpass
export PATH=$PATH:/usr/lbin
echo Enter District:
read $dist
grep "/home/$dist" /etc/passwd |awk -F: '{print $1}' > /tmp/$dist.users
for u in `cat /tmp/$dist.users`
do
# Send Current Info to Temp File
getprpw $u > /tmp/$dist.auth1
# Modify Auth Parameters to "-1" or Disable
modprpw -l -m exptm=-1,lftm=-1,mintm=-1,expwarn=-1 $u
# Send New Info to Temp File
getprpw $u >/tmp/$dist.auth2
# Compare Old and New Parameters
diff /tmp/$dist.auth1 /tmp/$dist.auth2
done

echo "Script Complete"


I am going to monitor this closely for the next year.. My guess if I get any calls it will be stupid user calls, forgetting the caplock or something..

Thanks ..

0 Kudos
rmueller58
Valued Contributor

‎08-11-2005 01:25 AM

‎08-11-2005 01:25 AM

Re: Account lockouts and warning (lack of warning)

Bill,

I do like your script.. I am not much of a perl person yet, It will be useful when troubleshooting these pesky varmints.. Thanks...

Points Submit to all.. I am closing the thread..
0 Kudos
rmueller58
Valued Contributor

‎08-11-2005 01:25 AM

‎08-11-2005 01:25 AM

Re: Account lockouts and warning (lack of warning)

Thanks all..
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.