LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-05-2015, 06:24 AM   #1
jobart08
Member
 
Registered: Sep 2014
Posts: 72

Rep: Reputation: Disabled
Prevent account from being locked out after X number of attempts


Hi all,

I have several crontab entries run as oracle user. I need to prevent oracle user from being locked when the max failed login is reached. Is there a way to prevent it from being locked even when the server is hardened? OS is SunOs.

Thanks!
 
Old 06-05-2015, 12:04 PM   #2
JeremyBoden
Senior Member
 
Registered: Nov 2011
Distribution: Debian
Posts: 1,187

Rep: Reputation: 243Reputation: 243Reputation: 243
crontab entries run as background jobs & do not require any passwords.
 
Old 06-05-2015, 01:37 PM   #3
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
Are you getting an error that a user account actually is being locked, or is this a theoretical question?
 
Old 06-05-2015, 07:07 PM   #4
jobart08
Member
 
Registered: Sep 2014
Posts: 72

Original Poster
Rep: Reputation: Disabled
Problem is when oracle users forget the password and by accident, they lock the accounts. The cronjobs wont run because the oracle account is locked. I want to prevent that feom happening. Thanks! :-)
 
Old 06-05-2015, 07:14 PM   #5
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
I'm not specifically an Oracle guru, but you will need to have that configured in the Oracle configuration, not the Linux user configuration.

Configuring Authentication - Subsection Table 3-1 Password-Specific Settings in the Default Profile
https://docs.oracle.com/database/121...n.htm#CHDEGBEG
 
Old 06-05-2015, 07:18 PM   #6
jobart08
Member
 
Registered: Sep 2014
Posts: 72

Original Poster
Rep: Reputation: Disabled
My bad. I might have worded it wrong. I meant "oracle" account users in SunOs. Account name is oracle.
 
Old 06-05-2015, 07:32 PM   #7
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
If I remember right SunOS is not too terribly different and should use PAM authentication. Try the following command to try to trace down the specific configuration file causing the lockout.

grep 'deny=' /etc/pam.d/*

You would see something like 'deny=5', more details found in the following article.

How to lock users after 5 unsuccessful login tries?
http://unix.stackexchange.com/questi...ul-login-tries
 
Old 06-05-2015, 07:36 PM   #8
jobart08
Member
 
Registered: Sep 2014
Posts: 72

Original Poster
Rep: Reputation: Disabled
But wont that affect every other user account? Is there a way to keep that setting but still make a specific account unlockable? Thanks!
 
Old 06-05-2015, 07:52 PM   #9
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
Quote:
Originally Posted by jobart08 View Post
But wont that affect every other user account? Is there a way to keep that setting but still make a specific account unlockable? Thanks!
Short answer, "No" that is only a global setting, not an individual user setting. If there was an option it would be a file like /home/oracle/.pam but that would just be a huge gaping security hole, so it is more fantasy I am saying that reality. At best you might make a script that greps oracle from /etc/passwd and searches for the "!" flag in that line. Then an if true statement to trigger a passwd -u oracle command. Then set that script in the root cron to run every few minutes.
 
Old 06-05-2015, 07:54 PM   #10
jobart08
Member
 
Registered: Sep 2014
Posts: 72

Original Poster
Rep: Reputation: Disabled
Great. Thanks man!
 
Old 06-14-2015, 09:46 PM   #11
jobart08
Member
 
Registered: Sep 2014
Posts: 72

Original Poster
Rep: Reputation: Disabled
So here are the requirements:

oracle account does not lock after x number of failed logins

oracle account cannot ssh directly - done

sudoers cannot su to oracle account - done


Im having difficulty with the first requirement. Any suggestions?

Thanks!
 
Old 06-15-2015, 12:22 PM   #12
JeremyBoden
Senior Member
 
Registered: Nov 2011
Distribution: Debian
Posts: 1,187

Rep: Reputation: 243Reputation: 243Reputation: 243
How about setting the account so it locks after 9,999,999 failed attempts?
 
Old 06-16-2015, 02:18 AM   #13
jobart08
Member
 
Registered: Sep 2014
Posts: 72

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by JeremyBoden View Post
How about setting the account so it locks after 9,999,999 failed attempts?
Hi. Is it possible to set this for just one account?

Thanks!
 
Old 06-16-2015, 02:31 AM   #14
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,522

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Probably you should be using differnt users for your cron jobs and interactive logins.
 
Old 06-17-2015, 06:34 AM   #15
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,417

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
Quote:
Probably you should be using differnt users for your cron jobs and interactive logins.
Now there's a good idea; not only would it solve your problem, but it would enable post-facto audits to distinguish between cron jobs and user access.
In any case, real users should have individual accts anyway (ask your auditor...)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Login page says account reached max attempts but lchage says not locked hrricane34 Linux - Newbie 1 10-09-2013 02:01 AM
Account locked after multiple authentication attempts using plink nickg123 AIX 1 08-08-2013 05:31 AM
Prevent sudo su to locked or expired account? Linux_Kidd Linux - Security 12 10-18-2011 06:05 AM
New user first login attempt gets "Account locked. Maximum attempts reached" p3t0rt Linux - Newbie 2 07-21-2009 05:40 PM
Security settings - Account lockout Number of bad logon attempts dwarf007 Linux - Security 1 04-19-2008 01:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration