Solved

Lockout Duration in AiX

Posted on 2007-11-26
3
2,539 Views
Last Modified: 2013-11-17
Is there a way to set the lockout duration in AIX? i.e. the account is locked out and it will unlock itself in 30 minutes?

That kind of thing?

If so, how?

Thanks

Josh
0
Comment
Question by:JoshFink
3 Comments
 
LVL 45

Expert Comment

by:Kdo
ID: 20352867
Hi JoshFink,

AIX doesn't have any of this capability built in, but you can build it yourself.  Mostly with your own scripts and cron jobs.

Some use of these two variables may be a good place to start:


unsuccessful_login_count in /etc/security/lastlog and
login_retries in /etc/security/user.




Good Luck,
Kent
0
 
LVL 3

Expert Comment

by:amirs80
ID: 20356237
yes u can do it
read the file
#cd /etc/security
#vi login.cfg (or any editor u like most)

the parameter in this file help u a lot
0
 
LVL 1

Accepted Solution

by:
cloud5 earned 500 total points
ID: 20845629
AIX does not provide a clean, built-in solution to this.

You'll need to script it.

Try using the attached code (or modify it to suit your needs).

It takes one parameter:  the username to check (run it in a "for" loop in another script if you want to check more usernames).  If the user's account has been locked due to invalid logins, and if the user last failed greater than 30 minutes ago, it'll reset the failed count back to zero.

Run it via root's cron once every five minutes or so.
#!/usr/bin/ksh
 

readonly MINUTES_TO_UNLOCK=30

readonly SECONDS_PER_MINUTE=60
 

if [[ $# -lt 1 ]]; then

    echo "Please specify a username to check" >&2

    exit 1

fi
 

username=$1
 

set -A userdata $(/usr/bin/lsuser -c              \

                  -a unsuccessful_login_count     \ 

                     loginretries                 \

                     time_last_unsuccessful_login ${username} | \

                  sed -e 1d -e 's/:/ /g')

curtime=$(/usr/bin/perl -e "print time")
 

unsuccessful_login_count=${userdata[1]}

loginretries=${userdata[2]}

time_last_unsuccessful_login=${userdata[3]}
 

# Account is locked due to too many unsuccessful attempts

if [[ ${unsuccessful_login_count} -gt ${loginretries} ]]; then
 

    # Calculate number of minutes since user last failed to log in.

    minutes_since_last_fail=$(((curtime - time_last_unsuccessful_login) / ${SECONDS_PER_MINUTE}))
 

    # User last logged in greater than MINUTES_TO_UNLOCK minutes ago;

    # unlock them.

    if [[ ${minutes_since_last_fail} -gt ${MINUTES_TO_UNLOCK} ]]; then

        chsec -f /etc/security/lastlog \

              -a "unsuccessful_login_count=0" \

              -s ${username}

    fi

fi

Open in new window

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now