Use this procedure to lock regular user accounts after a certain number of failed login attempts.
Before You Begin
Do not set this protection system-wide on a system that you use for administrative activities. Rather, monitor the administrative system for unusual use and keep it available for administrators.
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
Choose the scope of the attribute value.
This protection applies to any user who attempts to use the system.
# pfedit /etc/security/policy.conf ... #LOCK_AFTER_RETRIES=NO LOCK_AFTER_RETRIES=YES ...
This protection applies only to the user for whom you run this command. If you have many users, this is not a scalable solution.
# usermod -K lock_after_retries=yes username
This protection applies to any user or system where you assign this rights profile.
# profiles -p shared-profile -S ldap shared-profile: set lock_after_retries=yes ...
For more information on creating rights profiles, see Creating Rights Profiles and Authorizations in Securing Users and Processes in Oracle Solaris 11.3.
If you have many users that share a rights profile, setting this value in a rights profile can be a scalable solution.
# usermod -P shared-profile username
You can also assign the profile per system in the policy.conf file.
# pfedit /etc/security/policy.conf ... #PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=shared-profile,Basic Solaris User
Choose the scope of the attribute value.
# pfedit /etc/default/login ... #RETRIES=5 RETRIES=3 ...
# usermod -K lock_after_retries=3 username
Follow the "Create and assign a rights profile" option in Step 1 to create a rights profile that includes lock_after_retries=3.
# passwd -u username
A user who is locked out cannot log in without administrative intervention. You can unlock user accounts in both the files and ldap naming services.
See Also
For a discussion of user and role security attributes, see Chapter 8, Reference for Oracle Solaris Rights in Securing Users and Processes in Oracle Solaris 11.3.
Selected man pages include passwd(1), policy.conf(4), profiles(1), user_attr(4), and usermod(1M).