From owner-freebsd-questions@FreeBSD.ORG  Wed Aug  6 15:37:53 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0952137B401
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Aug 2003 15:37:53 -0700 (PDT)
Received: from server.internal.m87-blackhole.org
	(12-233-120-73.client.attbi.com [12.233.120.73])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7BD0B43FAF
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Aug 2003 15:37:52 -0700 (PDT)
	(envelope-from mcarlson@m87-blackhole.org)
Received: from 12-233-120-73.client.attbi.com (12-233-120-73.client.attbi.com
	[12.233.120.73])h76MZRIW016740;	Wed, 6 Aug 2003 15:35:27 -0700 (PDT)
	(envelope-from mcarlson@m87-blackhole.org)
Date: Wed, 6 Aug 2003 15:35:27 -0700 (PDT)
From: Michael Carlson <mcarlson@m87-blackhole.org>
X-X-Sender: mcarlson@server.internal.m87-blackhole.org
To: Chuck Swiger <cswiger@mac.com>
In-Reply-To: <3F3174A4.1050704@mac.com>
Message-ID: <20030806152238.X16728@server.internal.m87-blackhole.org>
References: <20030806130814.B16596@server.internal.m87-blackhole.org>
 <3F3174A4.1050704@mac.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-questions@freebsd.org
Subject: Re: locking out user accounts after 3 login failures...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2003 22:37:53 -0000



On Wed, 6 Aug 2003, Chuck Swiger wrote:

> Michael Carlson wrote:
> > My work requires mutliple user systems to automatically lock out a user
> > account after 3 login authentication failures. I am running 5.1 and I have
> > not seen anything like this in PAM or login.conf (though the is the
> > login-backoff option, but thats not exactly what I want).
>
> Ugh.  Explain what "denial of service" means by asking your boss what happens if
> and when an annoyed employee enters the boss'es username and locks him out?

I do not disagree, unfortunately this requirement is in a ancient DOE
document, and they seem to hate change.

>
> It's reasonable to want to improve the security of reusable passwords, but
> that's the wrong approach.  Your boss should consider biometrics or smart cards
> (SecurID)...
>
I am looking into this as well, as we have a SecurID ACE server (running
on windows, another black mark) but it is unfamiliar territory to me.

> --
> -Chuck
>
>
>