LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > AIX
User Name
Password
AIX This forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.

Notices

Reply
 
Search this Thread
Old 02-02-2005, 02:59 PM   #1
looseCannon
Member
 
Registered: Dec 2003
Location: Little Rock, AR
Distribution: Fedora Core 2, AIX, HP-UX, Solaris, Whitebox
Posts: 193

Rep: Reputation: 31
Temporarily lock an account


Not sure if this is even possible in AIX, but other UNIX OS's can do this.

Does anyone know of a way to lock an account temporarily after they get too many failed login attempts? The only way I know of to unlock the account is manually. I would like to set it up so that a person is only locked out of the server for a certain period of time, like 30 minutes.

We have it set up like this on some Sun servers, but I can't find anything on how to set this up on AIX.
 
Old 02-02-2005, 07:04 PM   #2
Leftlane
LQ Newbie
 
Registered: Jan 2005
Distribution: Redhat EL / AIX
Posts: 8

Rep: Reputation: 0
I'm not sure of an easy way to do this in AIX. That's not to say one doesn't exist.

One potential method that comes to mind is to have a script run out of cron every X minutes. For each registered user, it compares the unsuccessful_login_count value in /etc/security/lastlog to the loginretries count from /etc/security/user or some arbitrary value for every user on your entire system (keeping you from having to actually setup this value on a user by user basis). If that value is greater, they get added to a bad_user list of some type and are locked out - either by the system because you've already defined the "loginretries" value for that user in /etc/security/user OR manually by your program (if there's no loginretries value) by doing something like:

chuser account_locked=true <username>

These locked users get added to a dynamic file somewhere, along with their current "unsuccessful_login_count" value from /etc/security/lastlog. Program exits.

Then, X minutes later when the script is called again, it first looks at the previously locked users. If their value of "unsuccessful_login_count" is unchanged from X minutes before, then you unlock them. Again, here it would depend on if you've allowed the system to automatically lock them (with the "loginretries" value in /etc/security/user) or you've manually done it in your script (with the chuser command). To wit, enable the account by either resetting the unsuccessful_login_count (chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" <username>) or manually unlock the account with chuser (chuser account_locked=false <username>). Then reset the failed user list and evaluate for new offenders as above.

The downside to letting your script lock out the users as opposed to AIX w/ the loginretries values, is that they'll only get locked every X minutes, instead of immediately. As such, I'd go the loginretries route in /etc/security/user. YMMV.
 
Old 02-03-2005, 07:14 AM   #3
Frustin
Member
 
Registered: May 2002
Location: Essex, UK
Distribution: Debian, Redhat, AIX 5L
Posts: 512

Rep: Reputation: 30
one way to lock an account is use a the passwd command with the -s to set the login shell to /bin/false.

the other is of course to use> smit user

Last edited by Frustin; 02-03-2005 at 07:16 AM.
 
Old 02-04-2005, 07:22 AM   #4
looseCannon
Member
 
Registered: Dec 2003
Location: Little Rock, AR
Distribution: Fedora Core 2, AIX, HP-UX, Solaris, Whitebox
Posts: 193

Original Poster
Rep: Reputation: 31
Leftlane :

I think you're right. I'm probably going to have to write a script or two to handle this. Just have to figure out how to keep from processing system accounts.
 
Old 02-04-2005, 11:08 AM   #5
zorba4
Member
 
Registered: Feb 2004
Location: Paris
Posts: 398

Rep: Reputation: 31
When you create the user (smit user) you can see the line
Number of FAILED LOGINS before [0]
user account is locked
So, you don't have to take care about that the locking part : if you put 3 failed logins before user account is locked, the user is locked after three fails.
Then, you can use the script suggested by leftlane : twice per houre, have a look if users have been locked and unlock them.
So, a user will be locked, unlocked at 2:30 PM, locked again, unlocked at 3:00 PM, etc...
 
Old 02-04-2005, 11:24 AM   #6
Leftlane
LQ Newbie
 
Registered: Jan 2005
Distribution: Redhat EL / AIX
Posts: 8

Rep: Reputation: 0
Quote:
Originally posted by looseCannon
Leftlane :

I think you're right. I'm probably going to have to write a script or two to handle this. Just have to figure out how to keep from processing system accounts.

The way I normally do that is to grep out /etc/passwd looking for my given home directory structure, which is typically something other than the vanilla "/home". For example, on one system I have users in /u1, so the following would get me a list of actual-people type users:

grep u1 /etc/passwd | awk -F: '{print $1}'

However, maybe you use /home and have gecos information for real people while the for the system type users gecos is blank. In that case the following command would get you a list of real users:

awk -F: '($5!="")' /etc/passwd | awk -F: '{print $1}'

The first awk tells it to return all lines from /etc/passwd whose 5th field delimited by a ":" isn't blank. The next of course trims off the first field, username. Good luck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
E: Could not get lock /var/lib/dpkg/lock - open (11 Resource temporarily unavailable) phreakshew Linux - Newbie 16 02-15-2012 12:28 PM
Caps Lock and Num Lock leds dont work! npc Linux - Hardware 2 11-08-2005 10:40 AM
lock root account after 3 login attempts - RHEL AS 3 jrparker2005 Red Hat 1 05-17-2005 12:43 PM
Lock account after successive login attempts herrmag Linux - Newbie 1 02-03-2005 06:10 PM
RedHat 9.0 freezes with blinking Caps lock and Scroll lock queen-bee Linux - Software 0 07-30-2004 10:40 PM


All times are GMT -5. The time now is 08:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration