Solved

Lockout Duration in AiX

Posted on 2007-11-26
3
2,695 Views
Last Modified: 2013-11-17
Is there a way to set the lockout duration in AIX? i.e. the account is locked out and it will unlock itself in 30 minutes?

That kind of thing?

If so, how?

Thanks

Josh
0
Comment
Question by:JoshFink
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 45

Expert Comment

by:Kent Olsen
ID: 20352867
Hi JoshFink,

AIX doesn't have any of this capability built in, but you can build it yourself.  Mostly with your own scripts and cron jobs.

Some use of these two variables may be a good place to start:


unsuccessful_login_count in /etc/security/lastlog and
login_retries in /etc/security/user.




Good Luck,
Kent
0
 
LVL 3

Expert Comment

by:amirs80
ID: 20356237
yes u can do it
read the file
#cd /etc/security
#vi login.cfg (or any editor u like most)

the parameter in this file help u a lot
0
 
LVL 1

Accepted Solution

by:
cloud5 earned 500 total points
ID: 20845629
AIX does not provide a clean, built-in solution to this.

You'll need to script it.

Try using the attached code (or modify it to suit your needs).

It takes one parameter:  the username to check (run it in a "for" loop in another script if you want to check more usernames).  If the user's account has been locked due to invalid logins, and if the user last failed greater than 30 minutes ago, it'll reset the failed count back to zero.

Run it via root's cron once every five minutes or so.
#!/usr/bin/ksh
 
readonly MINUTES_TO_UNLOCK=30
readonly SECONDS_PER_MINUTE=60
 
if [[ $# -lt 1 ]]; then
    echo "Please specify a username to check" >&2
    exit 1
fi
 
username=$1
 
set -A userdata $(/usr/bin/lsuser -c              \
                  -a unsuccessful_login_count     \ 
                     loginretries                 \
                     time_last_unsuccessful_login ${username} | \
                  sed -e 1d -e 's/:/ /g')
curtime=$(/usr/bin/perl -e "print time")
 
unsuccessful_login_count=${userdata[1]}
loginretries=${userdata[2]}
time_last_unsuccessful_login=${userdata[3]}
 
# Account is locked due to too many unsuccessful attempts
if [[ ${unsuccessful_login_count} -gt ${loginretries} ]]; then
 
    # Calculate number of minutes since user last failed to log in.
    minutes_since_last_fail=$(((curtime - time_last_unsuccessful_login) / ${SECONDS_PER_MINUTE}))
 
    # User last logged in greater than MINUTES_TO_UNLOCK minutes ago;
    # unlock them.
    if [[ ${minutes_since_last_fail} -gt ${MINUTES_TO_UNLOCK} ]]; then
        chsec -f /etc/security/lastlog \
              -a "unsuccessful_login_count=0" \
              -s ${username}
    fi
fi

Open in new window

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question