Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 5 Feb 2008 11:04:57 -0800
From:      Chuck Swiger <cswiger@mac.com>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        Tuan Ho <taho89@hotmail.com>, freebsd-questions@freebsd.org
Subject:   Re: Help on freeBSD 4.10
Message-ID:  <F26921D5-79A0-4767-8B99-FA11FECE67BB@mac.com>
In-Reply-To: <47A809BC.2000608@infracaninophile.co.uk>
References:  <BAY104-W2950C28F322C2E997A2E98DC330@phx.gbl> <4E314437-2B3E-4FC1-9825-5E08DA278635@mac.com> <47A809BC.2000608@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Feb 4, 2008, at 11:01 PM, Matthew Seaman wrote:
>>> As an administrator, how can i disable an account after three
>>> consecutive unsuccessful login attempts?
>>
>> As root, you could run:
>>
>> chsh -s /usr/sbin/nologin _user_
>
> Um... I don't think that's quite what the OP meant.  He wants to  
> automatically
> lock out anyone that fails 3 times to supply the right password.

Perhaps, although I preferred to answer the question which was  
actually asked in this case, since automatically locking out accounts  
results in a trivial denial-of-service condition whenever anyone  
happens to do a brute-force scan on the machine in question.

> See login.conf(5), particularly these entries:
>
>     login-backoff    number    3         The number of login  
> attempts allowed
>                                          before the backoff delay is  
> inserted
>                                          after each subsequent  
> attempt.  The
>                                          backoff delay is the number  
> of tries
>                                          above login-backoff  
> multiplied by 5
>                                          seconds.
>     login-retries    number    10        The number of login  
> attempts allowed
>                                          before the login fails.
>
> Note that this applies only to the login(1) program and so applies to
> textmode logins directly on the console.  Other applications like  
> xdm(1)
> have different controls, as do applications that provide remote access
> like ssh(1).

Have you actually tried setting these?  They make the system add a  
pause if the wrong password is entered several times, but they will  
not actually lock the account.

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F26921D5-79A0-4767-8B99-FA11FECE67BB>