On Mon, Mar 04, 2002 at 01:03:21PM -0500, Paul Greene wrote: > > Is there a capability within the PAM authentication modules to implement a > user account lockout if someone fails a login more than, say, 3 times in > a row? > > The intention would be that if a user fails a login more than 3 times > within a certain time period (like within a time period of 30 minutes or > so), the account is locked until a sys admin releases the account.
I believe that this functionality is there, but you could be in for a serious denial of service attack if you implement this. Imagine a bad guy getting a hold of your userlist and trying each account, locking each one out in turn :-( A much better solution is that which is implemented by default in VMS - lock the account for a random period of time - usually around 5 minutes - but don't lock it permanently. When the account is locked, accept all passwords, even the correct one, and return a standard user authorization failiure - the same message, no matter if the account is locked, has an incorrect username, or an incorrect password. I do not know how this can be in Linux today, if at all. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
