Modifying Login Policy

Language:

This section assumes that you have completed New Feature – Enabling the account-policy Service.

Security attributes that are properties of the config/etc_default_login stencil of the account-policy service include:

$ svcprop -p login_policy account-policy:default
login_policy/annotation astring
login_policy/auto_unlock_time astring
login_policy/clearance astring
login_policy/disabletime count
login_policy/lock_after_retries astring
login_policy/pam_policy astring
login_policy/password_required boolean
login_policy/retries count
login_policy/root_login_device astring
login_policy/sleeptime count
login_policy/timeout count

For more information, see the account-policy(8S) man page.

How to Set Account Locking for All Logins

Use this procedure to prevent malicious login attempts by locking a user's account after a certain number of failed login attempts.

Caution - Do not set this protection system-wide on a system that you use for administrative activities. Rather, monitor the administrative system for unusual use and keep the system available for administrators.

Before You Begin

You have completed New Feature – Enabling the account-policy Service. You must become an administrator who is assigned the User Security rights profile. The root role is assigned this profile. For more information, see Using Your Assigned Administrative Rights.

Find the full names of the retries SMF properties from the account-policy stencil.

$ svcprop account-policy | grep retries
login_policy/lock_after_retries astring
login_policy/retries count

Set the lock_after_retries property value to yes.

$ pfbash svccfg -s account-policy
svc:/.../account-policy> setprop config/etc_default_login/disabled = boolean: false
svc:/.../account-policy> setprop login_policy/lock_after_retries = yes
svc:/.../account-policy> exit

Set the retries count to 3 and refresh the service.

$ svccfg -s account-policy \
setprop login_policy/retries = 3
$ svcadm refresh account-policy

(Optional) Specify a time after which a user can re-authenticate to a locked account.
1. Find the full name of the unlock SMF property from the account-policy stencil.
```
$ svcprop account-policy | grep unlock
login_policy/auto_unlock_time astring
```
2. Set the auto_unlock_time property value and refresh the service.
  The following command enables users to log in without administrative intervention three hours and five minutes after the account locks.
```
$ svccfg -s account-policy \
  setprop login_policy/auto_unlock_time = 185m
$ svcadm refresh account-policy
```
To unlock a locked user, use the passwd command.
```
# passwd -u username
```
You as an administrator can unlock user accounts in both the files and ldap naming services.

See Also

For a discussion of user and role security attributes, see Reference for Oracle Solaris Rights.
Selected man pages include passwd(1) and account-policy(8S).