Kenneth,

This capability does not exist natively on the Solaris 8 OS. If you
need this capabilitity, it can be added through the use of PAM and
possibly some secondary functionality. Note that depending on the
naming service that you use and your expectations of whether this
lockout will be per-system or network wide, there are some
significant issues/tradeoffs that would need to be discussed.

Also, per Kevin's e-mail, there are also a few DOS possibilities
that exist using this method - although there are also some ways
in which those risks can be mitigated to some degree.

SunPS has built and delivered modules that perform this functionality
for a number of users. If you are interested in something like this
please let me know.

Regards,
g

---
Glenn M. Brunette, Jr.
Principal Engineer, Chief Security Architect
Sun Professional Services, United States CTO
Sun Microsystems, Inc.

If the machines are internal to your network then DoS attacks should not
be a major factor in this. The best way to do this is to use PAM
modules and customize it for your environment. This may not be the
simplist method but it will get you where you want to go. Take a look
at the /etc/default/passwd options as well. They wont let you disable
an account this way but will allow you to force other options.

Sanjay

Hello Kenneth,
Thank you Darren for the wonderful plug. Yes, we have modules that you
can download and use for free. If you want the source code for an audit
it can be arranged. Please make sure that you are running version 1.04
(there was a security hole in 1.03 - obviously not enough auditing).
People at version 1.03 please upgrade.

You can select one of three behaviours with our PAM module: Lock the
account and have the password reset by admin. Lock the account and have
the login flag reset by admin (i.e. things that use the password, but
not the module will still work), and lockout for a period after the
selected number of bad attempts.

The advantage of the lockout period is that it defeats the multi-trial
attempts, and allows the user to know that something has happened
(especially if you set it to 1 day or there abouts) but does not require
admin intervetion - no social engineering attacks.

We have a bunch of other PAM modules available for other purposes too.

Rex di Bona
Computer Smiths

DISABLETIME can be set in /etc/default/login on Solaris 9. It is the time
that the account is disabled after RETRIES number of unsuccessful logins.
Default is 20 seconds for DISABLETIME, 5 attempts for RETRIES. You can set
up a Windows-like timed lockout using DISABLETIME and RETRIES on Solaris 9.
SLEEPTIME can also be set in /etc/default/login. It is the amount of time
that the system pauses between when the user enters a bad password and when
the system prompts for the user id. Default is 4 seconds, range is 0 to 5.

DISABLETIME is not in Solaris 8. You can use someone else's PAM, or as Julie
Baumler suggested, roll your own lockout script. /var/adm/loginlog is the
record each bad login attempt after 5 bad attempts. Check the manpage.

I like the Linux PAM. See http://www.kernel.org/pub/linux/libs/pam/. Don't
know how it would behave on Solaris, but you might give it a shot. See
pam_tally for the lockout function lib.

jp



-----Original Message-----
From: Steve Barnet [mailto:***@chem.wisc.edu]
Sent: Tuesday, October 14, 2003 10:56 AM
To: Kevin L Prigge
Cc: Kenneth Denski; focus-***@securityfocus.com
Subject: Re: Account Lockout in Solaris 8



According to the login(1) man page from a Solaris 8 machine,
the following variables can be set in /etc/default/login:

RETRIES
Sets the number of retries for logging in (see
pam(3PAM)). The default is 5.

SYSLOG_FAILED_LOGINS
Used to determine how many failed login attempts
will be allowed by the system before a failed
login message is logged, using the syslog(3C)
LOG_NOTICE facility. For example, if the vari-
able is set to 0, login will log all failed
login attempts.

I don't have a Solaris machine immediately at hand, but I think
that would be a good place to start.

Best,

---Steve