HPE Community
Operating System - HP-UX
1825771 Members
2030 Online
109687 Solutions
New Discussion

lockout account after 3 attempts

 
HENRY_92
New Member

‎11-09-2005 03:08 AM

‎11-09-2005 03:08 AM

lockout account after 3 attempts

Hello,

Is it possible to lockout users accounts after 3 failed attempts.

Could anyone help me with that.

Is any scripts that read /var/adm/loginlog or any patch.

Thanks
Henry
0 Kudos
Reply
3 REPLIES 3
john kingsley
Honored Contributor

‎11-09-2005 03:25 AM

‎11-09-2005 03:25 AM

Re: lockout account after 3 attempts

This can be accomplished on a trusted system. If your are running NIS, you will not be able to convert your system to trusted mode.

If your are running a trusted system, you activate the account lockout through SAM:

Auditing and Security -> System Security Policies -> General Account Policies...
Lock Inactive Accounts:
Unsuccessful Login Tries Allowed: 3

Accounts which have been locked can be reactivated in SAM:
Accounts for Users and Groups --> Users
Select User --> Actions --> Reactivate
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎11-10-2005 04:05 AM

‎11-10-2005 04:05 AM

Re: lockout account after 3 attempts

You may also consider using standard-mode security extensions, available for 11.23.

This will save you the conversion, and the associated PAM and compatibility issues.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StdModSecExt
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-10-2005 05:04 AM

‎11-10-2005 05:04 AM

Re: lockout account after 3 attempts

If your system is trusted, its pretty easy, just the menu commands above.

If your system is not trusted you can make it trusted and follow the same commands.

If trusted system is not an option for you than look at the syslog file or the btmp file, count the bad logins and issue a passwd -l command.

btmp is a binary file so you'll need to process it with strings.

I can't remember ever seeing /var/adm/loginlog so I can't comment on that.

essence of the script:

while read -r username
do
badones=($strings /var/adm/btmp | grep $username |wc -l)
if [$badones -ge 3 ]
then
passwd -l $username
fi
done < /tmp/list

# /tmp/list can be generated from a copy of /etc/passwd
# cat /tmp/passwd | awk '{print $1}' > list


This is a root only script, and don't leave copies of passwd lying round.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.