HPE Community
Operating System - HP-UX
1836807 Members
2786 Online
110110 Solutions
New Discussion

Re: Locking Out Users After Failed Logins--Not A Trusted System

 
Dave Thompson_7
Occasional Advisor

‎04-18-2007 05:58 AM

‎04-18-2007 05:58 AM

Locking Out Users After Failed Logins--Not A Trusted System

Is there a way to lock out users after x number of failed login attempts? We do not have a trusted system and don't want to convert because of some potential application problems. I've looked through threads and responses, but can't find the answer I really need (for the *@#$%! auditor).
0 Kudos
10 REPLIES 10
Patrick Wallek
Honored Contributor

‎04-18-2007 06:07 AM

‎04-18-2007 06:07 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

Not possible without converting to a trusted system, as far as I know.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎04-18-2007 06:25 AM

‎04-18-2007 06:25 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

In order to do this you would have to write custom login programs. That is the way it was done before the days of shadowsed passwd and/or trusted systems.
If it ain't broke, I can fix that.
0 Kudos
Marco A.
Esteemed Contributor

‎04-18-2007 06:28 AM

‎04-18-2007 06:28 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

Actually the only way to achieve that is by using the command "tsconvert" and convert your system in "trusted" , the normal env, using the /etc/passwd, or using shadow passwords (/etc/shadow) has not way to control that kind of things, with Trusted system you can control all those things.

Admin guide at. :
http://docs.hp.com/en/B2355-90121/B2355-90121.pdf

Regards
Just unplug and plug in again ....
0 Kudos
Patrick Wallek
Honored Contributor

‎04-18-2007 06:29 AM

‎04-18-2007 06:29 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

You mean you can't find the answer you really want.

If you are on HP-UX 11.11 you could take a look at Shadow passwords:
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

But if your app won't support trusted, then the chances are probably slim that it will support shadow.

You must face the fact that the base authentication does not support locking out users after X invalid logins.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎04-18-2007 06:35 AM

‎04-18-2007 06:35 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

Have you actually tried a trusted system? The trusted mechhanism has been around so long on HP-UX that it is a very rare application that has problems. The login/user/group functions that any application should be using make this invisible to the application itself.

Even if you do create custom login programs which can lockout an account, you still have an almost unsurmountable obstacle to overcome in that the password hashes are visible and thus vulnerable to a guessing attack.
If it ain't broke, I can fix that.
0 Kudos
Dave Thompson_7
Occasional Advisor

‎04-18-2007 06:41 AM

‎04-18-2007 06:41 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

Thanks for all the infomation.

Just so you'll know, our application software has been ported from TI-990, TI-1500, & HP-9000 to the Itanium. I don't know what problems may be encountered with some of our ftp scripts and file permissions. And, yes, the shadow password file has been implemented with no problems (so far).

I have contacted our software vendor to see if there are any hidden problems that I haven't thought of (or imagined).

Thanks again.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎04-18-2007 06:50 AM

‎04-18-2007 06:50 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

Any ftp client software should be complete insulated from the underlying user verification functions -- so those should not be a cause for concern. The same holds true for file permissions.
If it ain't broke, I can fix that.
0 Kudos
Dave Thompson_7
Occasional Advisor

‎04-19-2007 12:16 AM

‎04-19-2007 12:16 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

Thanks for all the good info. After consulting with our software vendor, it looks like we should be able to go to a trusted system.

But, after some more research, it seems like we could use SMSE to do this. I know it's a stupid question, but can we really use SMSE running B.11.23 & is there a down side?

Thanks.
0 Kudos
Bill Hassell
Honored Contributor

‎04-24-2007 01:30 AM

‎04-24-2007 01:30 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

> But, after some more research, it seems like we could use SMSE to do this. I know it's a stupid question, but can we really use SMSE running B.11.23 & is there a down side?

Not a stupid question at all. Standard Mode Security Extensions (SMSE) is brand new with 11.23:

docs.hp.com/en/5991-8678/ch06s01.html

And you'll want to look at this:

docs.hp.com/en/5991-1125/ch01s03.html

Since SMSE is relatively new (and many poorly written programs still can't handle a Trusted system even after 10 years...), the only way to know about problems is to try it -- and at the same time, ask the vendor. If the vendor never heard about SMSE, I would be suspicious about success.

SMSE was created to bridge the gap between barebones unTrusted systems and a full TCB (Trusted Computing Base) by providing the elements of a Shadow Password system, yet (by using PAM and a more compatible security database) providing a much more secure environment.


Bill Hassell, sysadmin
0 Kudos
Dave Thompson_7
Occasional Advisor

‎04-24-2007 05:32 AM

‎04-24-2007 05:32 AM

Re: Locking Out Users After Failed Logins--Not A Trusted System

Looks like SMSE will do exactly what I need to have done. Thanks to everyone.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.