From owner-freebsd-questions@FreeBSD.ORG  Wed Aug  6 14:35:35 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 67E4A37B401
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Aug 2003 14:35:35 -0700 (PDT)
Received: from out002.verizon.net (out002pub.verizon.net [206.46.170.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7FEC343F85
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Aug 2003 14:35:34 -0700 (PDT)	(envelope-from cswiger@mac.com)
Received: from mac.com ([151.205.189.55]) by out002.verizon.net
          (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP
          id <20030806213533.JCGV18222.out002.verizon.net@mac.com>;
          Wed, 6 Aug 2003 16:35:33 -0500
Message-ID: <3F3174A4.1050704@mac.com>
Date: Wed, 06 Aug 2003 17:35:32 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Michael Carlson <mcarlson@m87-blackhole.org>
References: <20030806130814.B16596@server.internal.m87-blackhole.org>
In-Reply-To: <20030806130814.B16596@server.internal.m87-blackhole.org>
X-Enigmail-Version: 0.76.4.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out002.verizon.net from
	[151.205.189.55] at Wed, 6 Aug 2003 16:35:33 -0500
cc: freebsd-questions@freebsd.org
Subject: Re: locking out user accounts after 3 login failures...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2003 21:35:35 -0000

Michael Carlson wrote:
> My work requires mutliple user systems to automatically lock out a user
> account after 3 login authentication failures. I am running 5.1 and I have
> not seen anything like this in PAM or login.conf (though the is the
> login-backoff option, but thats not exactly what I want).

Ugh.  Explain what "denial of service" means by asking your boss what happens if 
and when an annoyed employee enters the boss'es username and locks him out?

It's reasonable to want to improve the security of reusable passwords, but 
that's the wrong approach.  Your boss should consider biometrics or smart cards 
(SecurID)...

-- 
-Chuck