- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: account disabled message on auth failure
Operating System - Linux
1748213
Members
3172
Online
108759
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-28-2008 06:35 AM
тАО10-28-2008 06:35 AM
RHEL AS 2.1/3/4/5
I have noticed that the LINUX user accounts are not returing an error message "account is disabled;contact your system administrator" unlike HP-UX.
is there a way to get a similar message in Linux? We use pam authentication
I have noticed that the LINUX user accounts are not returing an error message "account is disabled;contact your system administrator" unlike HP-UX.
is there a way to get a similar message in Linux? We use pam authentication
Solved! Go to Solution.
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-28-2008 10:19 AM
тАО10-28-2008 10:19 AM
Re: account disabled message on auth failure
├В┬┐Under which circunstances do you want to get a similar message? For example, if she shell is /sbin/nologin you will get a similar message.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-28-2008 04:45 PM
тАО10-28-2008 04:45 PM
Re: account disabled message on auth failure
its not happening; Any other criteria along with the /sbin/nologin?
# faillog -u ftphrgl
Username Failures Maximum Latest
ftphrgl 6 0 Tue Oct 28 20:01:43 -0400 2008 on 147.154.162
[root@adela161p pam.d]# grep account system-auth
account required /lib/security//pam_unix.so
# faillog -u ftphrgl
Username Failures Maximum Latest
ftphrgl 6 0 Tue Oct 28 20:01:43 -0400 2008 on 147.154.162
[root@adela161p pam.d]# grep account system-auth
account required /lib/security//pam_unix.so
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-29-2008 03:53 AM
тАО10-29-2008 03:53 AM
Solution
The "account is disabled" message will reveal to a potential intruder that the account *exists*, which can be an unacceptable information leak in high-security environments.
Ideally, the intruder should not be able to tell these three cases apart:
a) the account does not exist
b) the account does exist, but it is locked; no password will allow entry
c) the account exists and is not locked, but the intruder specified a wrong password.
The information to identify these cases should certainly be available to the sysadmin, so the correct place for it is the secure system log (/var/log/secure or /var/log/auth.log in most Linux distributions).
A secure way would be to add a short reminder to the end of /etc/issue or the equivalent pre-login message ("banner" in OpenSSH-style sshd configuration). Something generic like "If you have problems logging in, contact..."
Of course, the accounts helpdesk, sysadmin or whoever handles the login problems should be required to always identify the users in some reliable way before unlocking any accounts.
MK
Ideally, the intruder should not be able to tell these three cases apart:
a) the account does not exist
b) the account does exist, but it is locked; no password will allow entry
c) the account exists and is not locked, but the intruder specified a wrong password.
The information to identify these cases should certainly be available to the sysadmin, so the correct place for it is the secure system log (/var/log/secure or /var/log/auth.log in most Linux distributions).
A secure way would be to add a short reminder to the end of /etc/issue or the equivalent pre-login message ("banner" in OpenSSH-style sshd configuration). Something generic like "If you have problems logging in, contact..."
Of course, the accounts helpdesk, sysadmin or whoever handles the login problems should be required to always identify the users in some reliable way before unlocking any accounts.
MK
MK
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP