Prevent account from being locked out after X number of attempts
 

Hi all,

I have several crontab entries run as oracle user. I need to prevent oracle user from being locked when the max failed login is reached. Is there a way to prevent it from being locked even when the server is hardened? OS is SunOs.

Thanks!

crontab entries run as background jobs & do not require any passwords.

Are you getting an error that a user account actually is being locked, or is this a theoretical question?

Problem is when oracle users forget the password and by accident, they lock the accounts. The cronjobs wont run because the oracle account is locked. I want to prevent that feom happening. Thanks! :-)

I'm not specifically an Oracle guru, but you will need to have that configured in the Oracle configuration, not the Linux user configuration.

Configuring Authentication - Subsection Table 3-1 Password-Specific Settings in the Default Profile
https://docs.oracle.com/database/121...n.htm#CHDEGBEG

My bad. I might have worded it wrong. I meant "oracle" account users in SunOs. Account name is oracle.

If I remember right SunOS is not too terribly different and should use PAM authentication. Try the following command to try to trace down the specific configuration file causing the lockout.

grep 'deny=' /etc/pam.d/*

You would see something like 'deny=5', more details found in the following article.

How to lock users after 5 unsuccessful login tries?
http://unix.stackexchange.com/questi...ul-login-tries

But wont that affect every other user account? Is there a way to keep that setting but still make a specific account unlockable? Thanks!

Short answer, "No" that is only a global setting, not an individual user setting. If there was an option it would be a file like /home/oracle/.pam but that would just be a huge gaping security hole, so it is more fantasy I am saying that reality. At best you might make a script that greps oracle from /etc/passwd and searches for the "!" flag in that line. Then an if true statement to trigger a passwd -u oracle command. Then set that script in the root cron to run every few minutes.

Great. Thanks man!

So here are the requirements:

oracle account does not lock after x number of failed logins

oracle account cannot ssh directly - done

sudoers cannot su to oracle account - done


Im having difficulty with the first requirement. Any suggestions?

Thanks!

How about setting the account so it locks after 9,999,999 failed attempts? :D

Hi. Is it possible to set this for just one account?

Thanks!

Probably you should be using differnt users for your cron jobs and interactive logins.

Now there's a good idea; not only would it solve your problem, but it would enable post-facto audits to distinguish between cron jobs and user access.
In any case, real users should have individual accts anyway (ask your auditor...)