HPE Community
Operating System - HP-UX
1855663 Members
8664 Online
104113 Solutions
New Discussion

Re: Failed Login Attempts

 
karthiknarayan
Advisor

‎12-12-2007 08:51 PM

‎12-12-2007 08:51 PM

Failed Login Attempts

Hi,

I have a Non-Trusted HP-UX System, I wanted to lock users after three
failed login attempts .

I have made a entry in /etc/default/security as follows

MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=10
AUTH_MAXTRIES=3

but when i tried to test this the account dosent get locked out,Can
someone tell me hwo to fix it.
In Love with Life
0 Kudos
Reply
8 REPLIES 8
whiteknight
Honored Contributor

‎12-12-2007 08:53 PM

‎12-12-2007 08:53 PM

Re: Failed Login Attempts

Hi,

those are only for Trusted-system mode, will not work in non-trusted system

>I have made a entry >in /etc/default/security as follows

>MIN_PASSWORD_LENGTH=8
>PASSWORD_HISTORY_DEPTH=10
>AUTH_MAXTRIES=3

WK
Problem never ends, you must know how to fix it
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎12-12-2007 08:57 PM

‎12-12-2007 08:57 PM

Re: Failed Login Attempts

This can't be done w/o converting to a trusted system because the data (ie the number of failed attempts) are stored in the tcb database. The only way to do this with a standard passwd system is to create a custom login program. It was common practice to write replacements for the login and passwd commands in the days before shadow passwords. It's not very difficult.
If it ain't broke, I can fix that.
0 Kudos
Reply
karthiknarayan
Advisor

‎12-12-2007 09:00 PM

‎12-12-2007 09:00 PM

Re: Failed Login Attempts

Where can i get the custom program for that?? do i need to put it in the /etc/profile


please help..
In Love with Life
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-12-2007 09:29 PM

‎12-12-2007 09:29 PM

Re: Failed Login Attempts

>do i need to put it in the /etc/profile

You don't get to profile until you login.
I think Clay meant you replace login and passwd.
0 Kudos
Reply
yulianto piyut
Valued Contributor

‎12-13-2007 12:44 AM

‎12-13-2007 12:44 AM

Re: Failed Login Attempts

hmm..

I think, in non-trusted mode you can restrict your password policy. belows, the /etc/default/security file i have implemented in my system:

# Security file: /etc/default/security
# man security

# Features depend on HP-UX rev and patches. Not all features are
# available on older systems.
#
# Comments (#) allowed only on separate line,
# no trailing # following a parameter or it
# will invalidate the setting

# Access controls (11.0 and higher)
#################

NOLOGIN=0
NUMBER_OF_LOGINS_ALLOWED=0
ABORT_LOGIN_ON_MISSING_HOMEDIR=1

# Single user mode authorization (11i and non-trusted only)
###########################################################

# Requires root password to get into single user mode
# BOOT_AUTH=1

# Users (besides root) that can boot into single user mode
# BOOT_USERS=bill,jane,joe

# Password controls - Trusted
###################

#MIN_PASSWORD_LENGTH=8
#PASSWORD_HISTORY_DEPTH=12
#PASSWORD_MIN_UPPER_CASE_CHARS=1
#PASSWORD_MIN_LOWER_CASE_CHARS=1
#PASSWORD_MIN_DIGIT_CHARS=1
#PASSWORD_MIN_SPECIAL_CHARS=1

# Non-Trusted or shadow password setup only:
# defaults: MAXDAYS=-1 MINDAYS=0 WARNDAYS=0

# PASSWORD_MAXDAYS=90
# PASSWORD_MINDAYS=7
# PASSWORD_WARNDAYS=7

# Session controls
##################

#SU_ROOT_GROUP=suroot
SU_DEFAULT_PATH=/usr/bin:/usr/contrib/bin:
# SU_KEEP_ENV_VARS=LD_LIBRARY_PATH,SHLIB_PATH,LD_PRELOAD
0 Kudos
Reply
karthiknarayan
Advisor

‎12-13-2007 02:53 PM

‎12-13-2007 02:53 PM

Re: Failed Login Attempts

Sorry,

But where do i set the Maximum tries allowed before unlock of account.
In Love with Life
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-13-2007 04:10 PM

‎12-13-2007 04:10 PM

Re: Failed Login Attempts

Almost all of the features listed in the example security file (including number of tries until account is locked) do not work in a non-Trusted system. There is no workaround, patch or other technique other than you writing your own login and passwd programs.

Is there some reason that you cannot convert your system to Trusted?


Bill Hassell, sysadmin
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎12-17-2007 11:09 AM

‎12-17-2007 11:09 AM

Re: Failed Login Attempts

You may consider Trusted Mode Security Extensions: http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt

It provides just about all the features of trusted mode, without requiring cnoversion (which is deprecated in 11iv3 (11.31).
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.