Auto Locking user accounts - SUN Solaris

run_time_error · #1 05-25-2006

Hi,

I am trying to setup account locking in Solaris 9.
I have made the changes in /etc/default/login where
RETRIES=5 and
SYSLOG_FAILED_LOGINS=5
and in /etc/user_attr I am having:
test_user::::lock_after_retries=yes

Still I am not able to lock test_user after successive
unsuccessful logins.

Any help is appreciated.
rte

RTM · #2 06-03-2006

The /etc/default/login environment variables.

RETRIES=5. This variable controls how many attempts before the tty line is disconnected. Keep in mind that this does not disable the account. The user can always reconnect and make another 5 attempts.

SYSLOG_FAILED_LOGINS=5. This sets the number of failed attempts before logging via the auth.notice facility in syslog is done.

And since you are using Solaris 9:

Quote:

From Sunsolve:
Question: Does Solaris have a feature that will lock a user account after 3
or more failed login attempts?
Document Body: Top

Solaris[TM] 9 and older versions do not have a "built in" feature that allows you to lock or disable an account after a number of failed logins. However, they do have the capability to accept a pluggable authentication module. Granting the flexibility for such capabilities to be customized into older versions of Solaris via PAM.

One reason why this was not initially included was because it opens the possibility for "denial of service" attacks for users like root, staff and other. It is supported and included in Trusted Solaris because the root user is not a regular UNIX user, rather it is a role and cannot be logged into directly.

Systems using LDAP as their naming service are able to achieve this functionality in conjunction with the latest LDAP client patches and Sun[TM] ONE Directory Server 5.1 or newer.

Starting with Solaris[TM] 10, the option to configure this is available. This is done using the /etc/user_attr database and/or /etc/security/policy.conf to set lock_after_retries. The account will be locked after the number of retries is met as defined by RETRIES, located in the /etc/default/login file.

If there is still an interest in setting this up for older versions of Solaris, it is considered customization. You can either pay to have the customization, write it yourself, or search the internet for free PAM modules. All three are not supported by Sun Support. However, you can contact Sun Professional Services for information on what kind of service and fee they provide for this.

Here is Sun's link for PAM information:
http://wwws.sun.com/software/solaris/pam/

Reference:
RFE 4524783 enhance PAM authentication to allow account locking.
This feature is integrated in Solaris 10.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
solari s 10 auto account locking	BG_JrAdmin	SUN Solaris	3	06-28-2006 02:41 PM
User Accounts	sroberts82	UNIX for Dummies Questions & Answers	3	10-13-2005 05:09 AM
single user mode - user accounts passwords	orestis	UNIX for Dummies Questions & Answers	2	03-09-2005 06:54 AM
User Accounts	Sensor	Shell Programming and Scripting	3	02-16-2004 07:31 AM
Locking in user to $HOME	thomas.jones	UNIX for Dummies Questions & Answers	1	03-20-2002 11:52 PM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode