Help on freeBSD 4.10
Chuck Swiger
cswiger at mac.com
Tue Feb 5 19:04:58 UTC 2008
On Feb 4, 2008, at 11:01 PM, Matthew Seaman wrote:
>>> As an administrator, how can i disable an account after three
>>> consecutive unsuccessful login attempts?
>>
>> As root, you could run:
>>
>> chsh -s /usr/sbin/nologin _user_
>
> Um... I don't think that's quite what the OP meant. He wants to
> automatically
> lock out anyone that fails 3 times to supply the right password.
Perhaps, although I preferred to answer the question which was
actually asked in this case, since automatically locking out accounts
results in a trivial denial-of-service condition whenever anyone
happens to do a brute-force scan on the machine in question.
> See login.conf(5), particularly these entries:
>
> login-backoff number 3 The number of login
> attempts allowed
> before the backoff delay is
> inserted
> after each subsequent
> attempt. The
> backoff delay is the number
> of tries
> above login-backoff
> multiplied by 5
> seconds.
> login-retries number 10 The number of login
> attempts allowed
> before the login fails.
>
> Note that this applies only to the login(1) program and so applies to
> textmode logins directly on the console. Other applications like
> xdm(1)
> have different controls, as do applications that provide remote access
> like ssh(1).
Have you actually tried setting these? They make the system add a
pause if the wrong password is entered several times, but they will
not actually lock the account.
--
-Chuck
More information about the freebsd-questions
mailing list