From: Darren J Moffat (Darren.MoffatSun.COM)
Date: Wed Oct 15 2003 - 11:15:02 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 14 Oct 2003, James Poland wrote:

> DISABLETIME can be set in /etc/default/login on Solaris 9. It is the time
> that the account is disabled after RETRIES number of unsuccessful logins.
> Default is 20 seconds for DISABLETIME, 5 attempts for RETRIES. You can set
> up a Windows-like timed lockout using DISABLETIME and RETRIES on Solaris 9.
> SLEEPTIME can also be set in /etc/default/login. It is the amount of time
> that the system pauses between when the user enters a bad password and when
> the system prompts for the user id. Default is 4 seconds, range is 0 to 5.

It is as you say the amount of time the system pauses but it does NOTHING
to the actual account. It is very easily defeated if it is a network
connection because you just drop the connection from the client and start
again. This is really intended to assist in protection of directly attached
serial (or framebuffer) connections not network.

> DISABLETIME is not in Solaris 8. You can use someone else's PAM, or as Julie
> Baumler suggested, roll your own lockout script. /var/adm/loginlog is the
> record each bad login attempt after 5 bad attempts. Check the manpage.

loginlog is only written by login(1). dtlogin(1) doesn't write there,
neither does ftp or sshd.

If you want to do it this way then use the Solaris BSM Audit functionality
and turn on the lo class.

--
Darren J Moffat

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]