[NTLUG:Discuss] OT UNIX question
Chris Cox
cjcox at acm.org
Tue Feb 3 12:14:04 CST 2004
Chris Cox wrote:
> fredjame wrote:
>
>> What is the normal way to lock accounts after x number of failed login
>> attempts?
>>
>
> The normal way is that it is simply not done.
>
> There is no built-in way to do this. Building your own facility
> might be somewhat difficult as you have to retrieve the fail
> count across attempts.... I'm certain it's doable with a bit
> of PAM.
Also, realize that such a PAM based mechanism if placed into
other authentication places could cause a problem for any
kind of automatic service you may have setup that requires
a level authentication. For example, let's say the password
has expired and you allow 6 attempts before lockout... an
automated program might rip through those 6 attempts rather
quickly and thus the entire account gets disabled.
Just a thought. I had our Windows boyz set my Windows account
to not expire after expiencing this very problem (I have
a Linux automount that authenticates to a Windows share).
I know that there are some security policies which mandate
stuff like this... but IMHO, it probably doesn't prevent
brute force compromises. I would avoid such a policy.
More information about the Discuss
mailing list