Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020

Modifying Login Policy

This section assumes that you have completed New Feature – Enabling the account-policy Service.

Security attributes that are properties of the config/etc_default_login stencil of the account-policy service include:

$ svcprop -p login_policy account-policy:default
login_policy/annotation astring
login_policy/auto_unlock_time astring
login_policy/clearance astring
login_policy/disabletime count
login_policy/lock_after_retries astring
login_policy/pam_policy astring
login_policy/password_required boolean
login_policy/retries count
login_policy/root_login_device astring
login_policy/sleeptime count
login_policy/timeout count

For more information, see the account-policy(8S) man page.

How to Set Account Locking for All Logins

Use this procedure to prevent malicious login attempts by locking a user's account after a certain number of failed login attempts.

Caution  -  Do not set this protection system-wide on a system that you use for administrative activities. Rather, monitor the administrative system for unusual use and keep the system available for administrators.

Before You Begin

You have completed New Feature – Enabling the account-policy Service. You must become an administrator who is assigned the User Security rights profile. The root role is assigned this profile. For more information, see Using Your Assigned Administrative Rights.

  1. Find the full names of the retries SMF properties from the account-policy stencil.
    $ svcprop account-policy | grep retries
    login_policy/lock_after_retries astring
    login_policy/retries count
  2. Set the lock_after_retries property value to yes.
    $ pfbash svccfg -s account-policy
    svc:/.../account-policy> setprop config/etc_default_login/disabled = boolean: false
    svc:/.../account-policy> setprop login_policy/lock_after_retries = yes
    svc:/.../account-policy> exit
  3. Set the retries count to 3 and refresh the service.
    $ svccfg -s account-policy \
    setprop login_policy/retries = 3
    $ svcadm refresh account-policy
  4. (Optional) Specify a time after which a user can re-authenticate to a locked account.
    1. Find the full name of the unlock SMF property from the account-policy stencil.
      $ svcprop account-policy | grep unlock
      login_policy/auto_unlock_time astring
    2. Set the auto_unlock_time property value and refresh the service.

      The following command enables users to log in without administrative intervention three hours and five minutes after the account locks.

      $ svccfg -s account-policy \
        setprop login_policy/auto_unlock_time = 185m
      $ svcadm refresh account-policy
  5. To unlock a locked user, use the passwd command.
    # passwd -u username

    You as an administrator can unlock user accounts in both the files and ldap naming services.

See Also