|
Configuring Incorrect Logins (Timeouts, Lockout Policies)
Hello To All,
Can you please or explain on how can I establish a setting for MAXIMUM BAD PASSWORD ENTRIES and on how to set a LOCK OUT timeout ? under Solaris 10 (CDE) . I want to set the following: Number of incorrect logins set to: 5 Acoount Lockout Policy set to: UNTIL ADMIN OR ROOT UNLOCKS IT. Im using the CDE desktop. Many thx in advance. Thank You and Best Regards |
Set RETRIES=3 in /etc/default/login file
Set LOCK_AFTER_RETRIES=YES in /etc/security/policy.conf And that should do it. For details: http://blogs.sun.com/gbrunett/date/20040923 |
Thanks alot.
Also, incase a user get locked locked, then, as ROOT, how can RESET or UNLOCK the account?? |
Im sorry...
Are you sure that this configuration setting is for logging in from the CDE Desktop...or....is this only for logging in from a Telnet session (like the one in the URL link)??? Please advise on this. |
Quote:
Quote:
|
Quote:
|
Well.....Guess what...i tried logging in under the CDE desktop screen and it does not work...I tried at least 5 times after I set the RETRIES to 3 login attempts...
So, it may work from a Telnet session...but how can I make it work when trying to login to the CDE Desktop?? Remember...I am logging using my own user account to the CDE Desktop....So is there a way to set the number of limits or retries when logging onto the CDE Desktop instead of a Telnet session??? |
Did you check it locks you out as expected when using telnet ?
|
Ok...I dont even care about Telnet...as I have it DISABLED anyway for security reasons...
All I care about is logging into the CDE Desktop... Like i said, I tried it 5 times typing an incorrect password on purpose and it does not seems to work... All I wish to do, is set this LOGIN RESTRICTIONS when my local user account tries to login TO the CDE Desktop....and not by using a session... Any more suggestions? |
If you don't care investigating why it doesn't works for you, why anyone would care ?
|
OK,
IM sorry. Now I had enabled Telnet (svcadm enable telnet to...127.0.0.1), I had tried only 2 incorrect logins...and it then the third time I did it correctly and said...LAST LOGIN FAILURE occured at this date and so on. But how come it does not work under the CDE desktop login screen? |
Lockout works for me with both telnet and CDE.
Is the following line present in your /etc/pam.conf file ? Code:
other auth required pam_unix_auth.so.1 |
Im unable to check right now as Im not in front of the PC.
I will let you know later. Thanks. |
Ok,
Here I found the following lines in the /etc/pam.conf file # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. # |
If that line is there, I have no more ideas. Sorry.
For information, locking works fine for me with CDE/Solaris Express. |
| All times are GMT -5. The time now is 03:53 PM. |