How to Set Account Locking for Regular Users

Language:

Use this procedure to lock regular user accounts after a certain number of failed login attempts.

Note - Roles are shared accounts. Do not set account locking for users who can assume roles or roles because one locked user can lock out the role.

Before You Begin

Do not set this protection system-wide on a system that you use for administrative activities. Rather, monitor the administrative system for unusual use and keep it available for administrators.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

Set the LOCK_AFTER_RETRIES security attribute to YES.
Choose the scope of the attribute value.
- Set system-wide.
  This protection applies to any user who attempts to use the system.
```
# pfedit /etc/security/policy.conf
...
#LOCK_AFTER_RETRIES=NO
LOCK_AFTER_RETRIES=YES
...
```
- Set per user.
  This protection applies only to the user for whom you run this command. If you have many users, this is not a scalable solution.
```
# usermod -K lock_after_retries=yes username
```
- Create and assign a rights profile.
  This protection applies to any user or system where you assign this rights profile.
  1. Create the rights profile.
```
# profiles -p shared-profile -S ldap
shared-profile: set lock_after_retries=yes
...
```
    For more information on creating rights profiles, see Creating Rights Profiles and Authorizations in Securing Users and Processes in Oracle Solaris 11.3.
  2. Assign the rights profile to users or system-wide.
    If you have many users that share a rights profile, setting this value in a rights profile can be a scalable solution.
```
# usermod -P shared-profile username
```
    You can also assign the profile per system in the policy.conf file.
```
# pfedit /etc/security/policy.conf
...
#PROFS_GRANTED=Basic Solaris User
PROFS_GRANTED=shared-profile,Basic Solaris User
```
Set the RETRIES security attribute to 3.
Choose the scope of the attribute value.
- Set system-wide.
```
# pfedit /etc/default/login
...
#RETRIES=5
RETRIES=3
...
```
- Set per user.
```
# usermod -K lock_after_retries=3 username
```
- Create and assign a rights profile.
  Follow the "Create and assign a rights profile" option in Step 1 to create a rights profile that includes lock_after_retries=3.
To unlock a locked user, use the passwd command.
```
# passwd -u username
```
A user who is locked out cannot log in without administrative intervention. You can unlock user accounts in both the files and ldap naming services.

See Also

For a discussion of user and role security attributes, see Chapter 8, Reference for Oracle Solaris Rights in Securing Users and Processes in Oracle Solaris 11.3.
Selected man pages include passwd(1), policy.conf(4), profiles(1), user_attr(4), and usermod(1M).