From owner-freebsd-questions Thu Feb 25 17:59:59 1999 Delivered-To: freebsd-questions@freebsd.org Received: from aauu.aaweber.com (cs40-181.austin.rr.com [24.93.40.181]) by hub.freebsd.org (Postfix) with ESMTP id 13CCD14E62 for ; Thu, 25 Feb 1999 17:59:54 -0800 (PST) (envelope-from aaweber@austin.rr.com) Received: (from aaweber@localhost) by aauu.aaweber.com (8.9.1/8.9.1) id TAA14932; Thu, 25 Feb 1999 19:59:32 -0600 (CST) Date: Thu, 25 Feb 1999 19:59:32 -0600 From: Alan Weber To: Matthew Hunt Cc: freebsd-questions@freebsd.org Subject: Re: Security question Message-ID: <19990225195931.A14743@austin.rr.com> References: <913B8C252194D2119BD500805F3181789704F6@za12nt02.mweb.com> <19990225162636.A46163@wopr.caltech.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <19990225162636.A46163@wopr.caltech.edu>; from Matthew Hunt on Thu, Feb 25, 1999 at 04:26:36PM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Feb 25, 1999 at 04:26:36PM -0800, Matthew Hunt wrote: --> On Thu, Feb 25, 1999 at 09:23:03PM +0200, Langa Kentane wrote: --> --> > I have been caught up in the evil of Micro$oft for a while now. What I want --> > to know is whether or not there is some way in FreeBSD that you can lockout --> > an account after a certain number of unsuccessful logons. --> --> I don't know offhand how to do that, but one thing to keep in --> mind is that if you lock out a user because of too many unsuccessful --> logins, then anybody can deny service to one of your users by --> logging in unsuccessfully. --> --> That is, I might not want to break into your system, I just try --> logging in with your password and get you locked out in order to --> annoy you, distract you, keep you from getting work done, whatever. I have this feature set at work on an HP-UX machine. It is real annoying to have someone hammer root and lock out root. Then I have to go downstairs and do a real console login to change the damn password and reset the account. Since I dont spend much time as root, I only notice at the odd momement I have to do some admin. Novell Netware also has this ?feature? and I have seen it used for mischief on occasion. I would prefer to have the system insert an increasing delay that grows to 60 seconds or some configurable value with a decay to zero after a while. I still think that having a secure cryptic password should be adequate. One useful feature would be to add password policies to FreeBSD. Min length/format/etc. -- When I was a kid I had to rub sticks together to multiply and divide numbers. A calculator was a job description. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message