[Asteroid]

Hi gurus,

Need you help here:
How we can implement

[1]

User logout After 15 mins of inactivity.

I have edited /etc/default/login as TIMEOUT=60
But user is not Logged out after 60 sec inactivity. How we can implement this?

[2]

LOGIN should be blocked after Max logins attempts

e.g 3 bad passwords and the user is locked. And it is locked for certain period e.g 20 min.

[3]

Last 10 passwords are unique

The Passwords selected by User must not match his previous passwords (up to last 10 password).

[4]

  Password selection must be atleast one char from lower, upper, numeric and special chars.

Password selection is forced to be exactly a regular expression having all above chars.


We have to enforce the security on SUN machine, by implementing above conditions.
Any help will be appriciated.
Thanks and Regards
@Asteroid

[eggi]

Hey There,

For number 1, set the timeout to 15 since that variable counts in minutes (they don't all use the same increment, which can be misleading)

For numbers 2 through 4 (and even more), check out this link -- You'll need to be running Solaris 10, minimum, but they've greatly increased the options you have to enforce password complexity, temporary lockouts (install of the default "login disable after so many failed attempts")

Hope this helps you out

http://www2.petervg....i?a=read&doc=81

, Mike

[Asteroid]

THX Eggi,

eggi, on Jan 22 2009, 03:40 AM, said:

For number 1, set the timeout to 15 since that variable counts in minutes (they don't all use the same increment, which can be misleading)

I have changed it to 15, Now If I LOG IN successfully, I am not Auto logged out after 15 minutes neither 15 sec inactivity. But for my surprise If I donot provide the credentials with 15 sec while establishing TELNET session, the session is abandoned with message "connection to HOST lost".

So, any more help.

[eggi]

Hey Again,

You're correct - my mistake entirely - in /etc/default login the TIMEOUT variable is for login timeouts. What you actually want to do is to set the environment variable TMOUT - you can add this to your /etc/profile and make it a read-only variable so that no one will be able to login and then just change it one you:

Quote

export TMOUT
readonly TMOUT=15

Sorry about the mix-up

, Mike

[Asteroid]

eggi, on Jan 22 2009, 05:12 AM, said:

Hey Again,

You're correct - my mistake entirely - in /etc/default login the TIMEOUT variable is for login timeouts. What you actually want to do is to set the environment variable TMOUT - you can add this to your /etc/profile and make it a read-only variable so that no one will be able to login and then just change it one you:

Quote

export TMOUT
readonly TMOUT=15

Sorry about the mix-up

, Mike

THX Eggi for the help. Some more questions.
1. We are using SOLARIS 8, can we still implement security points [2] to [4]?
2. Will the above variable TMOUT will be retain and work on solaris 8 unless a reboot occurs?
3. Can we do all the above for UNIX aswell?

[eggi]

Hey there,

Glad to help.

For solaris 8, you might be able to do it. Look into the MD5 package. I'm not sure that it will do that, but it might.

2. if you set the TMOUT variable in /etc/profile, it will take affect for everyone, starting the next time they log in. No reboot necessary

3. Did you mean Linux? If so, yes. In fact, most distro's of Linux support the stuff you want to do in a much easier manner. Let me know what distro's you're looking at.

Best wishes,

Mike