SUMMARY: NIS/password locking question

From: <Frank_DeMontier_at_ssga.com>
Date: Tue Feb 19 2002 - 15:44:57 EST
Many thanks to Andy McVey and Matthew Stier for their quick responses
posted below:

You can limit the number of retry attempts with an entry in
/etc/default/login:
RETRIES=<value>

(See the man page for login for more details)

It won't lock the NIS account though - you could either write
a PAM module that automatically locks the account (tough) or
check the messages file for:

login: REPEATED LOGIN FAILURES ON /dev/pts/XXX

Then email the sysadmin to manually lock the account.
Alternatively make LOGHOST the NIS master and write a script
that filters the output of syslogd and locks the user account
accordingly.

#########################################################################
Not in the Sun provided configuration.  There is no code to check for
counts, or any means to save that information across workstations.

Personally, I believe in Sun's policy in not implementing account lockouts,
since I've seen more internal users use them as a playfull "Denial of
Service" attack, that actually stopping such threats.   Sun's choice to
provided an extensive delay after a failed login attempt is the better
solution to brute-force attacks, since it limits attempts per terminal to
75
per hour.

#############################################################################

On a side note, I spoke with Sun directly. There is a PAM module available
which will accomplish this, the module
is named "pam_tally" The only (apparent) limitation under NIS is it will
only lock the account LOCALLY.

http://www.sun.com/software/solaris/pam

http://www.consmiths.com.au/pam/index.html

Buddy DeMontier
State Street Global Advisors
Infrastructure Technical Services
2 International Place
Boston Ma 02110
617-664-6141
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Feb 19 14:46:20 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:34 EST