HPE Community
Operating System - HP-UX
1834651 Members
2109 Online
110069 Solutions
New Discussion

Regarding account lock

 
SOLVED
Go to solution
Sridhar R
Regular Advisor

‎02-26-2008 02:20 AM

‎02-26-2008 02:20 AM

Regarding account lock

Hi,

I want the user's account to get locked if they are trying to login after 3 wrong attempts.

(Note: Right now, user can login the nth time even if he does n-1 wrong attempts)

Kindly tell me how to do this??

And also i want to know about unlocking the account without resetting to a new password !!

Kindly help and give a solution for this!!

Thanks in Advance!!

Sridhar
0 Kudos
13 REPLIES 13
Anshumali
Esteemed Contributor

‎02-26-2008 02:35 AM

‎02-26-2008 02:35 AM

Re: Regarding account lock

1. trusted system
2. /usr/lbin/modprpw -k user_name
Dreams are not which you see while sleeping, Dreams are which doesnt allow you to sleep while you are chasing for them!!
0 Kudos
likid0
Honored Contributor

‎02-26-2008 02:40 AM

‎02-26-2008 02:40 AM

Re: Regarding account lock

Yes, you must check that you are runing a trusted system, if its a trusted system you will have a /tcb directory.

Here you can see the config of the server:

/tcb/files/auth/system# cat default
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#16:u_exp#2419200:u_life#2592000:\
:u_llogin#0:u_pw_expire_warning#1814400:u_pswduser=root:u_pickpw:\
:u_genpwd:u_restrict@:u_nullpw@:u_genchars:\
:u_genletters:u_suclog#0:u_unsuclog#0:u_maxtries#3:\
:u_lock:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:


But i would suggest using sam, to change these settings.

Windows?, no thanks
0 Kudos
Sridhar R
Regular Advisor

‎02-26-2008 02:49 AM

‎02-26-2008 02:49 AM

Re: Regarding account lock

Hi,

Thnx for the reply.

i dont find any /tcb directory.

0 Kudos
likid0
Honored Contributor

‎02-26-2008 03:05 AM

‎02-26-2008 03:05 AM

Re: Regarding account lock

You can convert to trusted mode from SAM or on command line.

command line- /etc/tsconvert -c

All accounts will expire and will be prompted for new password. So immediatley after you do /etc/tsconvert -c, do
/usr/lbin/modprpw -V

Rather do
/etc/tsconver -c;/usr/lbin/modprpw -V
Windows?, no thanks
0 Kudos
dinoside
New Member

‎02-26-2008 01:44 PM

‎02-26-2008 01:44 PM

Re: Regarding account lock

if untrust the system, tsconvert -r
0 Kudos
Robert Fritz
Regular Advisor

‎02-26-2008 04:24 PM

‎02-26-2008 04:24 PM

Re: Regarding account lock

Also note that trusted mode is deprecated in 11.31 in favor of the Standard Mode security extensions. (discontinued in 11.41)

Using that, you can (in 11.31, or with the SMSE download in 11.23) use the setting AUTH_MAXTRIES in /etc/default/security to set this, or per-user, using the userdb command.

This does NOT require the transition to trusted mode.

-Robert
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Sridhar R
Regular Advisor

‎02-26-2008 10:26 PM

‎02-26-2008 10:26 PM

Re: Regarding account lock

Hi Orange,

I did whatever u said. I think the system is in trusted mode right now.

And now i can see the /tcb directory.

I get the default(/tcb/files/auth/system) file to be:

vorap101#cat default
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#8:u_exp#15724800:u_life#16934400:\
:u_pw_expire_warning#604800:u_pswduser=root:u_pickpw:u_genpwd:\
:u_restrict@:u_nullpw@:u_genchars@:u_genletters:\
:u_suclog#0:u_unsuclog#0:u_maxtries#3:u_lock:\
:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:



What should i make change in this file so that my requirement fulfills !!

And also i want tp know how to change it to non-trusted mode again?? Will i get any problem if i leave it as such in trusted mode??

Thanks !
0 Kudos
likid0
Honored Contributor

‎02-27-2008 12:49 AM

‎02-27-2008 12:49 AM

Solution

Re: Regarding account lock

Hy,


There is no problem with the system in trusted mode, it should be in trusted mode.

as the default stands you have what you want, after 3 wrong attempts the server blocks the user.

u_maxtries#3

database u_maxtries:

Set Maximum Unsuccessful Login tries allowed.
0 = infinite.



to unlock the user, without changing passwd:

/usr/lbin/modprpw -k user_name


have a look at man modprpw
Windows?, no thanks
0 Kudos
Sridhar R
Regular Advisor

‎02-27-2008 01:35 AM

‎02-27-2008 01:35 AM

Re: Regarding account lock

Hi,

Thanks that's working!

But, is there any direct command to check whether the system is in trusted or un-trusted mode?

By any chance, is it possible to revert back to un-trusted mode?

If yes, kindly let me know!!

Thanks!!
0 Kudos
Anshumali
Esteemed Contributor

‎02-27-2008 01:46 AM

‎02-27-2008 01:46 AM

Re: Regarding account lock

1. Actually Many
---run any command which is a trusted system only command, getprpw, modprpw
----- check for /tcb

2. tsconvert -r
Dreams are not which you see while sleeping, Dreams are which doesnt allow you to sleep while you are chasing for them!!
0 Kudos
titu
Regular Advisor

‎02-27-2008 02:45 AM

‎02-27-2008 02:45 AM

Re: Regarding account lock

hi Sridhar,

Please check with this command:

#usr/lbin/modprpw -k root

This command will show whether the system is trusted system or not ?
0 Kudos
titu
Regular Advisor

‎02-27-2008 02:59 AM

‎02-27-2008 02:59 AM

Re: Regarding account lock

Hi Sridhar ,

you can go to /etc/deafult/security and
put a parameter :

#AUTH_MAXTRIES= no. of tries-1

it will lock the userid after more no. of tries mentioned here.

0 Kudos
Sridhar R
Regular Advisor

‎02-27-2008 03:00 AM

‎02-27-2008 03:00 AM

Re: Regarding account lock

Thanks !
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.