Operating System - Linux
1748213 Members
3172 Online
108759 Solutions
New Discussion юеВ

Re: account disabled message on auth failure

 
SOLVED
Go to solution
skt_skt
Honored Contributor

account disabled message on auth failure

RHEL AS 2.1/3/4/5

I have noticed that the LINUX user accounts are not returing an error message "account is disabled;contact your system administrator" unlike HP-UX.

is there a way to get a similar message in Linux? We use pam authentication
3 REPLIES 3
Ivan Ferreira
Honored Contributor

Re: account disabled message on auth failure

├В┬┐Under which circunstances do you want to get a similar message? For example, if she shell is /sbin/nologin you will get a similar message.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
skt_skt
Honored Contributor

Re: account disabled message on auth failure

its not happening; Any other criteria along with the /sbin/nologin?

# faillog -u ftphrgl
Username Failures Maximum Latest
ftphrgl 6 0 Tue Oct 28 20:01:43 -0400 2008 on 147.154.162

[root@adela161p pam.d]# grep account system-auth
account required /lib/security//pam_unix.so

Matti_Kurkela
Honored Contributor
Solution

Re: account disabled message on auth failure

The "account is disabled" message will reveal to a potential intruder that the account *exists*, which can be an unacceptable information leak in high-security environments.

Ideally, the intruder should not be able to tell these three cases apart:
a) the account does not exist
b) the account does exist, but it is locked; no password will allow entry
c) the account exists and is not locked, but the intruder specified a wrong password.

The information to identify these cases should certainly be available to the sysadmin, so the correct place for it is the secure system log (/var/log/secure or /var/log/auth.log in most Linux distributions).

A secure way would be to add a short reminder to the end of /etc/issue or the equivalent pre-login message ("banner" in OpenSSH-style sshd configuration). Something generic like "If you have problems logging in, contact..."

Of course, the accounts helpdesk, sysadmin or whoever handles the login problems should be required to always identify the users in some reliable way before unlocking any accounts.

MK
MK