Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Account Lockout in Solaris 8
From: BAUMLER Julie L (julie.x.baumlerco.multnomah.or.us)
Date: Tue Oct 14 2003 - 13:33:28 CDT
> -----Original Message-----
> From: Kevin L Prigge [mailto:klptc.umn.edu]
> Sent: Tuesday, October 14, 2003 9:29 AM
> To: Kenneth Denski
> Cc: focus-sunsecurityfocus.com
> Subject: Re: Account Lockout in Solaris 8
> On Tue, Oct 14, 2003 at 04:09:38PM -0000, Kenneth Denski wrote:
> > Does anyone know if it is possible to implement account
> lockouts in Sun Solaris 8? I want to set it so that after 3
> bad login attempts, the user is locked out and must be reset
> by the Admin.
> > Is there any way to do this?
A) Write/port your own PAM module.
B) Adjust the variables in /etc/default/login to log to syslog after 3 bad
attempts, have a x(x=relatively long) SLEEPTIME, set retries to 4.
(Optionally, adjust syslog.conf so these messages go to a log file of their
own.) Use a log file reading tool (such as swatch or roll your own) to
check for messages every y(y<x) seconds, parse out the username and issue
"passwd -l <username>".
> Make sure they know that there are real DOS possibilities with a
> scheme such as this, and just because this functionality was available
> on IBM mainframes, it doesn't make it a good or useful idea.
Also, in general, password reset proceedures tend to have weaknesses that
are open to social engineering. How do you verify users in remote
buildings (or who are traveling)? How do you securely get them their new
password without being subject to some sort of evesdropping or known
password attack? If you use the phone what do you do when phone service is
out for that site? How do you securely reset a password for a deaf user at
a remote site? How many times would a user have to get locked out in a row
before you realized that the problem wasn't their inability to type in the
password you gave them, but someone continuing a password guessing attack?
What if they ended up at a different help desk tech each time? (Even if
it's not your plan today, this will eventually cause enough work to get
turned over to the help desk.)
Julie L Baumler, SCNA
Sr Systems Administrator
Multnomah County IT