locking out a user account

Posted on 2007-07-26
Last Modified: 2013-12-27
Solaris 10. the user_attr file I see:
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no
If I change lock_after_retries to yes AND /etc/default/login has

Could root be locked out permenently if a password is entered wrong too many times?
Question by:jjc_mn
    LVL 6

    Accepted Solution

    This is the comment section in /etc/default/login for the RETRIES section:

    ># RETRIES determines the number of failed logins that will be
    ># allowed before login exits. Default is 5 and maximum is 15.
    ># If account locking is configured (user_attr(4)/policy.conf(4))
    ># for a local user's account (passwd(4)/shadow(4)), that account
    ># will be locked if failed logins equals or exceeds RETRIES.

    and I just tested it.

    If policy.conf=LOCK_AFTER_RETRIES=yes

    and user_attr=root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=yes

    yes - you can lock out root!

    Author Comment


    Does the lock end after a period of time or is it permanent?
    LVL 6

    Expert Comment

    I didn't test that - but it appears permanent.  I viewed the /etc/shadow file and there was the big *LK* in root's entry.  
    LVL 6

    Assisted Solution

    Permanent in that some sort of [file] intervention will be required.  I entered a DISABLETIME=30 (seconds) and still the shadow file reflected a *LK* status.  If you don't have a serial port connection to the machine, you lock out the root account as described in the previous messages, and no other user has a uid=0, time to reinstall....
    LVL 48

    Assisted Solution

    It's a very bad idea to change the default entry for root in user_attr, because anyone can affectively DOS your server by doing 5 failed root logins.  Having a locked root account would also mean all sorts of processes wouldn't run correctly, eg: root cronjobs.

    Author Comment

    Thanks all!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
    Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
    This tutorial goes over how to archive and restore FreeBSD jails that are managed by ezjail.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now