RE: Account Lockout in Solaris 8

From: James Poland (James.Poland_at_mail.dss.mil)
Date: 10/15/03

  • Next message: Rex Monty di Bona: "Re: Account Lockout in Solaris 8"
    Date: Tue, 14 Oct 2003 22:50:35 -0700
    To: focus-sun@securityfocus.com
    
    

    DISABLETIME can be set in /etc/default/login on Solaris 9. It is the time
    that the account is disabled after RETRIES number of unsuccessful logins.
    Default is 20 seconds for DISABLETIME, 5 attempts for RETRIES. You can set
    up a Windows-like timed lockout using DISABLETIME and RETRIES on Solaris 9.
    SLEEPTIME can also be set in /etc/default/login. It is the amount of time
    that the system pauses between when the user enters a bad password and when
    the system prompts for the user id. Default is 4 seconds, range is 0 to 5.

    DISABLETIME is not in Solaris 8. You can use someone else's PAM, or as Julie
    Baumler suggested, roll your own lockout script. /var/adm/loginlog is the
    record each bad login attempt after 5 bad attempts. Check the manpage.

    I like the Linux PAM. See http://www.kernel.org/pub/linux/libs/pam/. Don't
    know how it would behave on Solaris, but you might give it a shot. See
    pam_tally for the lockout function lib.

    jp

    -----Original Message-----
    From: Steve Barnet [mailto:barnet@chem.wisc.edu]
    Sent: Tuesday, October 14, 2003 10:56 AM
    To: Kevin L Prigge
    Cc: Kenneth Denski; focus-sun@securityfocus.com
    Subject: Re: Account Lockout in Solaris 8

    According to the login(1) man page from a Solaris 8 machine,
    the following variables can be set in /etc/default/login:

               RETRIES
                     Sets the number of retries for logging in (see
                     pam(3PAM)). The default is 5.

               SYSLOG_FAILED_LOGINS
                     Used to determine how many failed login attempts
                     will be allowed by the system before a failed
                     login message is logged, using the syslog(3C)
                     LOG_NOTICE facility. For example, if the vari-
                     able is set to 0, login will log all failed
                     login attempts.

    I don't have a Solaris machine immediately at hand, but I think
    that would be a good place to start.

    Best,

    ---Steve


  • Next message: Rex Monty di Bona: "Re: Account Lockout in Solaris 8"

    Relevant Pages