reply on u_numunsuclog and u_lock from security team

From: Martin Mokrejs <mmokrejs_at_natur.cuni.cz>
Date: Thu, 03 Dec 1998 19:40:53 +0100 (MET)

Hello,
 this is not a question, my apology. However, many people asked in past
for scripts to lock (unlock) accounts from command line. All of them
manipulated only :u_lock: flag in protected database. I'd like to mention,
that not all accounts may be locked only by this mechanism, i.e. home-made
unlock will not work in all cases.
 My idea was to modify authck to report prpasswd entries having
:u_lock_at_: but being locked by too many unsuccessfull login attempts.
 The response seems to be reasonable, so - modify your scripts to check
:u_numunsuclog: !

--
Martin Mokrejs - PGP 5.0i key at: finger://mail.natur.cuni.cz/mmokrejs
<mmokrejs_at_natur.cuni.cz> Faculty of Science, The Charles University
---------- Forwarded message ----------
Date: Wed, 02 Dec 1998 16:49:02 -0500
From: Hitesh Chitalia <chitalia_at_unx.dec.com>
To: mmokrejs_at_natur.cuni.cz
Subject: reply on u_numunsuclog and u_lock from security team
The account locking mechanisms which use u_numunsuclog and u_lock are
independent, either one can lock a user account. Writing an application
which only checks u_lock to see if an account is locked will not detected
an account locked because of to many logfails. This behavior is consistent
with the design of the Security Integration Architecture.
 The authck routine checks internal consistency of the authentication
database, account locking is not a corruption problem and there are no plans 
to modify authck.

Received on Thu Dec 03 1998 - 18:42:42 NZDT