HPE Community
Operating System - HP-UX
1833189 Members
2689 Online
110051 Solutions
New Discussion

Disable user-id

 
SOLVED
Go to solution
Tom Gore
Regular Advisor

‎02-20-2003 11:39 AM

‎02-20-2003 11:39 AM

Disable user-id

Is there a way for the system to disable a user-id after "X" bad attempts? Also, is there any kind of audit report that can be produced that will show me the invalid logon attempts? Our auditors are at it again and are asking for this information.

Thanks
0 Kudos
Reply
10 REPLIES 10
Patrick Wallek
Honored Contributor

‎02-20-2003 11:41 AM

‎02-20-2003 11:41 AM

Re: Disable user-id

You can disable an id after some number of invalid login attempts if your system is in trusted mode. If it is not trusted, you are out of luck.

As for bad logon attempts, have a look at the 'lastb' command. 'man lastb' for more information.
Reply
Marco Santerre
Honored Contributor

‎02-20-2003 11:43 AM

‎02-20-2003 11:43 AM

Re: Disable user-id

You can have the list of bad logon attemps using lastb which is taken from the file /var/adm/btmp

If you turn on Trusted Mode on your systems, you can audit users and also specify several password policies, like password aging and number of password attempts.

You can turn on Trusted Mode by using tsconvert or in SAM.
Cooperation is doing with a smile what you have to do anyhow.
Reply
Ross Zubritski
Trusted Contributor

‎02-20-2003 11:45 AM

‎02-20-2003 11:45 AM

Re: Disable user-id

You should be able to manipulate login attempts using the Auditing and Security functionality in SAM.

Regards

RZ
Reply
Sridhar Bhaskarla
Honored Contributor

‎02-20-2003 11:46 AM

‎02-20-2003 11:46 AM

Re: Disable user-id

Tom,

Time for you to convert your system to trusted. Apart from the major advantage of hiding the encrypted passwords, it will allow you to configure a variety of options to secure the system. Look at docs.hp.com to get more information on Trusted systems.

'lastb -R' can provide you a detailed report on unsuccessful attempts.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Tom Gore
Regular Advisor

‎02-24-2003 09:20 AM

‎02-24-2003 09:20 AM

Re: Disable user-id

Thanks to all. Now all I have to do is find out if they want to switch to a "trusted system". One more questions came to mind. Is there a way to log a user off after "x" minutes of inactivity?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎02-24-2003 09:25 AM

‎02-24-2003 09:25 AM

Solution

Re: Disable user-id

Hi Tom:

If you set the TMOUT environmental variable to a non-zero value (the units are in seconds), then the (Posix) shell will terminate TMOUT seconds after issuing the PS1 prompt. Any entry will otherwise reset the countdown. Thus, to set a 10-minute inactive timeout, do:

# export TMOUT=600

Regards!

...JRF...
Reply
Steven E. Protter
Exalted Contributor

‎02-24-2003 10:26 AM

‎02-24-2003 10:26 AM

Re: Disable user-id

TMOUT=1900

Is what I set my system is set for.

What this does: It logs out users who are stuck on dollar prompts and not running apps.

What it does not do: If a user has a vi session or an application session open via telnet, it doesn't work.


In that case the application needs a timeout which will dump the user to a dollar prompt or back into the startup script, depending on how the user got in.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Tom Gore
Regular Advisor

‎02-24-2003 10:42 AM

‎02-24-2003 10:42 AM

Re: Disable user-id

What constitutes an "app". My specific concern are the ignite backups our operators run. If I set TMOUT=1200 and the backup runs longer than 20 minutes do they get logged out? Is the ignite backup still running even though they were logged out?
0 Kudos
Reply
Chris Vail
Honored Contributor

‎02-24-2003 12:29 PM

‎02-24-2003 12:29 PM

Re: Disable user-id

You can ensure that your ignite tape backup is not terminated by the TMOUT variable with the 'nohup' command. Also send it to the background with the ampersand (&). So "nohup command &" will cause a process to run to completion even when the shell that is its parent terminates.

Chris
Reply
Bill Hassell
Honored Contributor

‎02-24-2003 12:41 PM

‎02-24-2003 12:41 PM

Re: Disable user-id

TMOUT is a shell variable and does NOTHING unless the shell is running. When you run the backup program, the shell is suspended (not running) and the timer does not run. When the shell prompt returns after the backup, the timer starts over and the shell will logout after TMOUT seconds.

As far as audting requirements, converting to a Trusted System is the best way to satisfy the auditing requirements as it provides the controls needed to disable accounts and enforce good password rules.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.