Home page logo

bugtraq logo Bugtraq mailing list archives

Re: BoS: /etc/default/login LOCKOUT= creates arbitrary files (f
From: ebradley () telesph com (Eugene Bradley)
Date: Tue, 8 Apr 1997 08:30:48 +0000

I just tested this "LOCKOUT" variable hole in /etc/default/login
on my Solaris 2.5.1 box (with all relevant recommended & security
patches installed) -- no dice.

On  7 Apr 97 at 16:12, Illuminati Primus <vermont () GATE NET> writes:

Several modern unixes provide configuration options for security and logging
in a file called /etc/default/login.  Irix, and I assume some others but
perhaps it's an Irix invention, includes a variable "LOCKOUT" which causes an
account with a specified number of incorrect login attempts in a row to be
locked (one successful login resets the count).  This seems like a really good
idea, especially if you set the variable high enough that no one would ever be
locked out through mistakes whereas any automated password guessing program
(which ran over the net by telnetting in) would be stopped.  Since one
successful login clears the record, people are not able to accumulate the
requisite number of failures over an extended period of time so as to be
suddenly surprised one day.  It should be good, if not for the following
serious security flaw, at least in Irix, checked in both 5.3 and 6.2.


ajr <flaps () dgp utoronto ca>
Eugene Bradley
System Administrator, Telesphere Corporation--New York, NY
eugene.bradley () telesph com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]