?
Solved

locking out a user account

Posted on 2007-07-26
6
Medium Priority
?
1,006 Views
Last Modified: 2013-12-27
Solaris 10. the user_attr file I see:
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no
If I change lock_after_retries to yes AND /etc/default/login has
RETRIES=5

Could root be locked out permenently if a password is entered wrong too many times?
0
Comment
Question by:jjc_mn
  • 3
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
bpeterse earned 1600 total points
ID: 19576854
This is the comment section in /etc/default/login for the RETRIES section:

># RETRIES determines the number of failed logins that will be
># allowed before login exits. Default is 5 and maximum is 15.
># If account locking is configured (user_attr(4)/policy.conf(4))
># for a local user's account (passwd(4)/shadow(4)), that account
># will be locked if failed logins equals or exceeds RETRIES.

and I just tested it.

If policy.conf=LOCK_AFTER_RETRIES=yes

and user_attr=root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=yes

yes - you can lock out root!
0
 

Author Comment

by:jjc_mn
ID: 19577920

Does the lock end after a period of time or is it permanent?
0
 
LVL 6

Expert Comment

by:bpeterse
ID: 19578903
I didn't test that - but it appears permanent.  I viewed the /etc/shadow file and there was the big *LK* in root's entry.  
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 6

Assisted Solution

by:bpeterse
bpeterse earned 1600 total points
ID: 19578987
Permanent in that some sort of [file] intervention will be required.  I entered a DISABLETIME=30 (seconds) and still the shadow file reflected a *LK* status.  If you don't have a serial port connection to the machine, you lock out the root account as described in the previous messages, and no other user has a uid=0, time to reinstall....
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 400 total points
ID: 19590864
It's a very bad idea to change the default entry for root in user_attr, because anyone can affectively DOS your server by doing 5 failed root logins.  Having a locked root account would also mean all sorts of processes wouldn't run correctly, eg: root cronjobs.
0
 

Author Comment

by:jjc_mn
ID: 19611099
Thanks all!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question