This section assumes that you have completed New Feature – Enabling the account-policy Service.
Security attributes that are properties of the config/etc_default_login stencil of the account-policy service include:
$ svcprop -p login_policy account-policy:default login_policy/annotation astring login_policy/auto_unlock_time astring login_policy/clearance astring login_policy/disabletime count login_policy/lock_after_retries astring login_policy/pam_policy astring login_policy/password_required boolean login_policy/retries count login_policy/root_login_device astring login_policy/sleeptime count login_policy/timeout count
For more information, see the account-policy(8S) man page.
Use this procedure to prevent malicious login attempts by locking a user's account after a certain number of failed login attempts.
Caution - Do not set this protection system-wide on a system that you use for administrative activities. Rather, monitor the administrative system for unusual use and keep the system available for administrators.
Before You Begin
You have completed New Feature – Enabling the account-policy Service. You must become an administrator who is assigned the User Security rights profile. The root role is assigned this profile. For more information, see Using Your Assigned Administrative Rights.
$ svcprop account-policy | grep retries login_policy/lock_after_retries astring login_policy/retries count
$ pfbash svccfg -s account-policy svc:/.../account-policy> setprop config/etc_default_login/disabled = boolean: false svc:/.../account-policy> setprop login_policy/lock_after_retries = yes svc:/.../account-policy> exit
$ svccfg -s account-policy \ setprop login_policy/retries = 3 $ svcadm refresh account-policy
$ svcprop account-policy | grep unlock login_policy/auto_unlock_time astring
The following command enables users to log in without administrative intervention three hours and five minutes after the account locks.
$ svccfg -s account-policy \ setprop login_policy/auto_unlock_time = 185m $ svcadm refresh account-policy
# passwd -u username
You as an administrator can unlock user accounts in both the files and ldap naming services.