locking out user accounts after 3 login failures...

Michael Carlson mcarlson at m87-blackhole.org
Wed Aug 6 15:37:53 PDT 2003

On Wed, 6 Aug 2003, Chuck Swiger wrote:

> Michael Carlson wrote:
> > My work requires mutliple user systems to automatically lock out a user
> > account after 3 login authentication failures. I am running 5.1 and I have
> > not seen anything like this in PAM or login.conf (though the is the
> > login-backoff option, but thats not exactly what I want).
> Ugh.  Explain what "denial of service" means by asking your boss what happens if
> and when an annoyed employee enters the boss'es username and locks him out?

I do not disagree, unfortunately this requirement is in a ancient DOE
document, and they seem to hate change.

> It's reasonable to want to improve the security of reusable passwords, but
> that's the wrong approach.  Your boss should consider biometrics or smart cards
> (SecurID)...
I am looking into this as well, as we have a SecurID ACE server (running
on windows, another black mark) but it is unfamiliar territory to me.

> --
> -Chuck

More information about the freebsd-questions mailing list