DISABLETIME can be set in /etc/default/login on Solaris 9. It is the time
that the account is disabled after RETRIES number of unsuccessful logins.
Default is 20 seconds for DISABLETIME, 5 attempts for RETRIES. You can set
up a Windows-like timed lockout using DISABLETIME and RETRIES on Solaris 9.
SLEEPTIME can also be set in /etc/default/login. It is the amount of time
that the system pauses between when the user enters a bad password and when
the system prompts for the user id. Default is 4 seconds, range is 0 to 5.
DISABLETIME is not in Solaris 8. You can use someone else's PAM, or as Julie
Baumler suggested, roll your own lockout script. /var/adm/loginlog is the
record each bad login attempt after 5 bad attempts. Check the manpage.
I like the Linux PAM. See http://www.kernel.org/pub/linux/libs/pam/. Don't
know how it would behave on Solaris, but you might give it a shot. See
pam_tally for the lockout function lib.
jp
-----Original Message-----
From: Steve Barnet [mailto:***@chem.wisc.edu]
Sent: Tuesday, October 14, 2003 10:56 AM
To: Kevin L Prigge
Cc: Kenneth Denski; focus-***@securityfocus.com
Subject: Re: Account Lockout in Solaris 8
According to the login(1) man page from a Solaris 8 machine,
the following variables can be set in /etc/default/login:
RETRIES
Sets the number of retries for logging in (see
pam(3PAM)). The default is 5.
SYSLOG_FAILED_LOGINS
Used to determine how many failed login attempts
will be allowed by the system before a failed
login message is logged, using the syslog(3C)
LOG_NOTICE facility. For example, if the vari-
able is set to 0, login will log all failed
login attempts.
I don't have a Solaris machine immediately at hand, but I think
that would be a good place to start.
Best,
---Steve