HPE Community
Operating System - HP-UX
1829613 Members
1959 Online
109992 Solutions
New Discussion

Re: default password attempts parameter

 
Todd McDaniel_1
Honored Contributor

‎10-16-2007 06:19 AM

‎10-16-2007 06:19 AM

default password attempts parameter

Okay, let me as my question a different way.

On a non-trusted host, what is the mechanism that kicks you off the session after 3 failed attempts?

I dont believe there are any scripts on my box that run as daemons which do this. However, something does kick you off after 3 failed attempts.

My .profile and /etc/profile dont have anything related to this, nor does the /etc/default/security file.

Where is the default setting/built-in that kicks users off after 3 failed attempts?

My OS is 11.00.
Unix, the other white meat.
0 Kudos
Reply
5 REPLIES 5
Todd McDaniel_1
Honored Contributor

‎10-16-2007 06:26 AM

‎10-16-2007 06:26 AM

Re: default password attempts parameter

I found this regarding the security file. and I also found the /etc/pam.conf file which refers to /usr/lib/security/libpam_unix.1 file...


===========================================
AUTH_MAXTRIES This attribute controls whether an account is locked after too many consecutive authentication failures. It does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and requires that the pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec(5). Other PAM service modules in your configuration may enforce additional restrictions. The system-wide default defined here may be overridden by defining a per-user value in /var/adm/userdb (described in userdb(4)).

When an account has been locked due to too many authentication failures, root can unlock the account by this command:

userdbset -d -u username auth_failures

AUTH_MAXTRIES=0 Any number of authentication retries is allowed.

AUTH_MAXTRIES=N An account is locked after N+1 consecutive authentication failures. N can be any positive integer.

Default value: AUTH_MAXTRIES=0
==============================================
Unix, the other white meat.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-16-2007 06:47 AM

‎10-16-2007 06:47 AM

Re: default password attempts parameter

Shalom again,

Well you found the smoking gun. I've never seen that in an 11.00 system. Do you know how it got there and if it really works?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎10-16-2007 06:57 AM

‎10-16-2007 06:57 AM

Re: default password attempts parameter

Todd, I am not sure if the PAM settins or /etc/securitty/defaults apply to non-trusted systems.

An excerpt from the login man page states:
After three unsuccessful login attempts, a HANGUP signal is issued.
If a login is not successfully completed within a certain period of
time (for example, one minute), the terminal is silently disconnected.

With no mention of if it is configurable, but the man page for security does not state if Trusted environment is required either. Maybe change the setting for unsuccessfull and see if it works. ( I am sure you are already going down this path ).

Regards,

0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

‎10-16-2007 07:06 AM

‎10-16-2007 07:06 AM

Re: default password attempts parameter

Steven,

I was reading the 11.11 v3 man page. I was just curious if that was a feature of 11.00.

I do have the pam.conf file as well.


I will look at the login man page as well and read what it says there about the default value.


thanks guys!
Unix, the other white meat.
0 Kudos
Reply
Sandman!
Honored Contributor

‎10-16-2007 07:52 AM

‎10-16-2007 07:52 AM

Re: default password attempts parameter

Check the man page of pam_authenticate(3). Seems like the parameter of interest maybe PAM_MAXTRIES.

~cheers
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.