Hello To All,

Can you please or explain on how can I establish a setting for MAXIMUM BAD PASSWORD ENTRIES and on how to set a LOCK OUT timeout ? under Solaris 10 (CDE) .

I want to set the following:

Number of incorrect logins set to: 5
Acoount Lockout Policy set to: UNTIL ADMIN OR ROOT UNLOCKS IT.

Im using the CDE desktop.

Many thx in advance.


Thank You and Best Regards

Set RETRIES=3 in /etc/default/login file
Set LOCK_AFTER_RETRIES=YES in /etc/security/policy.conf

And that should do it.

For details: http://blogs.sun.com/gbrunett/date/20040923

Thanks alot.

Also, incase a user get locked locked, then, as ROOT, how can RESET or UNLOCK the account??

Im sorry...

Are you sure that this configuration setting is for logging in from the CDE Desktop...or....is this only for logging in from a Telnet session (like the one in the URL link)???

Please advise on this.

passwd <username>
passwd -u <username>

Possibly. Did you observe it doesn't works the expected way with CDE ?

Well.....Guess what...i tried logging in under the CDE desktop screen and it does not work...I tried at least 5 times after I set the RETRIES to 3 login attempts...

So, it may work from a Telnet session...but how can I make it work when trying to login to the CDE Desktop??

Remember...I am logging using my own user account to the CDE Desktop....So is there a way to set the number of limits or retries when logging onto the CDE Desktop instead of a Telnet session???

Did you check it locks you out as expected when using telnet ?

Ok...I dont even care about Telnet...as I have it DISABLED anyway for security reasons...

All I care about is logging into the CDE Desktop...

Like i said, I tried it 5 times typing an incorrect password on purpose and it does not seems to work...

All I wish to do, is set this LOGIN RESTRICTIONS when my local user account tries to login TO the CDE Desktop....and not by using a session...

Any more suggestions?

If you don't care investigating why it doesn't works for you, why anyone would care ?

OK,

IM sorry.

Now I had enabled Telnet (svcadm enable telnet to...127.0.0.1), I had tried only 2 incorrect logins...and it then the third time I did it correctly and said...LAST LOGIN FAILURE occured at this date and so on.

But how come it does not work under the CDE desktop login screen?

Lockout works for me with both telnet and CDE.

Is the following line present in your /etc/pam.conf file ?

Im unable to check right now as Im not in front of the PC.
I will let you know later.

Thanks.

Ok,

Here I found the following lines in the /etc/pam.conf file



# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

If that line is there, I have no more ideas. Sorry.

For information, locking works fine for me with CDE/Solaris Express.