locked_out_acct_es(3) Library Functions Manual locked_out_acct_es(3)
NAME
locked_out_acct_es, locked_out_es - determine if password-management disallows user login (Enhanced Security)
LIBRARY
Security Library - libsecurity.so
SYNOPSIS
#include <prot.h>
int locked_out_acct_es(
struct es_passwd *prpwd,
struct es_default *dfp,
int flags, ...);
int locked_out_acct_es(
struct es_passwd *prpwd);
PARAMETERS
prpwd Specifies a pointer to an extended profile structure.
dfp Specifies a pointer to the defaults database obtained from a getesdfnam() call.
flags, ...
Mask of bits to enable or disable features within the routine. This is intended to allow expansion within the locked_out_acct_es()
the routine for more options. The values in the variable argument are based on the sequential order of the flags used and the type
represented by the flag.
Currently supported flags are: A value of 0 indicates that the caller wishes to NOT audit the account locked out event. Other val-
ues create the event. Type is int.
DESCRIPTION
The locked_out_acct_es() function determines whether the password management values for an extended profile prohibit the user from logging
in. This routine is called as part of the login processing under enhanced security.
If the flags field is non zero, locked_out_acct_es() uses the mask in the flags field to sequentially check the presence of the specified
flags and retrieve the value of each from the variable argument list. For example, if the AUTH_LOCKED_OUT_AUD_FLAG bit is set, then the
first variable parameter is read as an 'int' and will be used as described above.
If the current time falls within the grace limit parameter (uflg->fg_grace_limit and ufld->fd_grace_limit), then access is allowed. Other-
wise, the following values are checked.
If the profile has vacation information set (uflg->fg_vac_start and uflg->fg_vac_end and ufld->fd_vac_start and ufld->fd_vac_end), and the
fields are valid (both fd_vac_start and fd_vac_end are non-zero, and the start time is less than the end time), and the current time is
during the vacation period, then the user is prohibited from logging in.
If the profile has valid vacation information set, and that vacation is now over, some adjustments are made to other time intervals which
get checked. If the last successful password change was before that vacation, then the password lifetime check is extended by the duration
of the user's vacation. If the last successful login was before that vacation, then the maximum login interval checked below is extended
by the length of the vacation.
If the user's password has not been changed successfully for a long enough time that it has passed its lifetime (which may be adjusted for
comparison purposes as described above for the vacation handling), and it is not a null password, then the user is prohibited from logging
in. (Fields checked are uflg->fg_encrypt, ufld->fd_encrypt, uflg->fg_schange, ufld->fd_schange, uflg->fg_lifetime, ufld->fd_lifetime,
sflg->fg_lifetime, sfld->fd_lifetime, in addition to the vacationing checks above.)
If the profile is marked with a maximum login interval (also known as minimum login frequency), and if the last successful login time
recorded (possibly adjusted by the vacation handling described above) is more than that interval before the present time, then the user is
prohibited from logging in. (Fields checked are uflg->fg_slogin, ufld->fd_slogin, uflg->fg_max_login_int, ufld->fd_max_login_int, and the
vacationing checks above.)
If break-in evasion is enabled for the profile with a non-zero value for the maximum allowed unsuccessful attempts (uflg->fg_max_tries,
ufld->fd_max_tries, sflg->fg_max_tries, sfld->fd_max_tries), and if there have been at least that many consecutive unsuccessful login
attempts recorded for the account (uflg->fg_nlogins, ufld->fd_nlogins), then the user may be prohibited from logging in. If there is no
last unsuccessful login time recorded (uflg->fg_ulogin) or if there is no unlock interval for the account (uflg->fg_unlockint,
ufld->fd_unlockint, sflg->fg_unlockint, sfld->fd_unlockint), the user is prohibited from logging in. If there is a non-zero unlock inter-
val and a last unsuccessful login time has been recorded, but adding the unlock interval to the last unsuccessful login time produces a
value which is greater than the current time, then the user is prohibited from logging in. If the fd_skip_slogin_log system defaults field
is set, then an account is not locked out based on any maximum login interval that may be set for the account. If the system defaults
field fd_skip_flogin_log is set, then an account is not locked out based on attempted failures.
If the profile is marked as being locked by the system administrator, then the user is prohibited from logging in. (Fields checked are
uflg->fg_lock, ufld->fd_lock, sflg->fg_lock, sfld->fd_lock.)
If none of these checks indicates that the user is locked out, a value of 0 is returned.
RETURN VALUES
A return of 1 indicates that the password management values for this profile keep the associated user from logging in at the current time.
A return of 0 indicates that the password management values for this profile do not prevent the associated user from logging in.
NOTES
The attempt to execute an audgenl() call is contingent upon the AUTH_LOCK_OUT_AUD_FLAG from the flags argument. That is, if someone sets
the AUTH_LOCK_OUT_AUD_FLAG bit in the flags argument and supplies a zero(0) as the first parameter after flags, then the audgenl() call is
not made. In order to quickstart a program, the program must be linked as follows:
-lsecurity -ldb -laud -lm
See the shared library discussion in the Programmer's Guide for more information about using the quickstarting feature. When
locked_out_acct_es() returns 1 to indicate that the user is locked out, it also attempts to make an audit entry with audgenl() to indicate
that fact. The old locked_out_es() now calls locked_out_acct_es() passing prpwd as well as a pointer to an es_default struct. The call is
made as follows:
return locked_out_acct_es(prpwd, dfp, 0);
RELATED INFORMATION
getespwent(3), getesdfent(3), audgenl(3), dxaccounts(8X)
Security delim off
locked_out_acct_es(3)