|
|
locked_out_acct_es(3)
Contents
|
locked_out_acct_es, locked_out_es - determine if passwordmanagement
disallows user login (Enhanced Security)
#include <prot.h>
int locked_out_acct_es(
struct es_passwd *prpwd,
struct es_default *dfp,
int flags,
... ); int locked_out_acct_es(
struct es_passwd *prpwd );
Security Library - libsecurity.so
Specifies a pointer to an extended profile structure.
Specifies a pointer to the defaults database obtained from
a getesdfnam() call. Mask of bits to enable or disable
features within the routine. This is intended to allow
expansion within the locked_out_acct_es() the routine for
more options. The values in the variable argument are
based on the sequential order of the flags used and the
type represented by the flag.
Currently supported flags are: A value of 0 indicates
that the caller wishes to NOT audit the
account locked out event. Other values create the
event. Type is int.
The locked_out_acct_es() function determines whether the
password management values for an extended profile prohibit
the user from logging in. This routine is called as
part of the login processing under enhanced security.
If the flags field is non zero, locked_out_acct_es() uses
the mask in the flags field to sequentially check the
presence of the specified flags and retrieve the value of
each from the variable argument list. For example, if the
AUTH_LOCKED_OUT_AUD_FLAG bit is set, then the first variable
parameter is read as an 'int' and will be used as
described above.
If the current time falls within the grace limit parameter
(uflg->fg_grace_limit and ufld->fd_grace_limit), then
access is allowed. Otherwise, the following values are
checked.
If the profile has vacation information set
(uflg->fg_vac_start and uflg->fg_vac_end and
ufld->fd_vac_start and ufld->fd_vac_end), and the fields
are valid (both fd_vac_start and fd_vac_end are non-zero,
and the start time is less than the end time), and the
current time is during the vacation period, then the user
is prohibited from logging in.
If the profile has valid vacation information set, and
that vacation is now over, some adjustments are made to
other time intervals which get checked. If the last
successful password change was before that vacation, then
the password lifetime check is extended by the duration of
the user's vacation. If the last successful login was
before that vacation, then the maximum login interval
checked below is extended by the length of the vacation.
If the user's password has not been changed successfully
for a long enough time that it has passed its lifetime
(which may be adjusted for comparison purposes as
described above for the vacation handling), and it is not
a null password, then the user is prohibited from logging
in. (Fields checked are uflg->fg_encrypt,
ufld->fd_encrypt, uflg->fg_schange, ufld->fd_schange,
uflg->fg_lifetime, ufld->fd_lifetime, sflg->fg_lifetime,
sfld->fd_lifetime, in addition to the vacationing checks
above.)
If the profile is marked with a maximum login interval
(also known as minimum login frequency), and if the last
successful login time recorded (possibly adjusted by the
vacation handling described above) is more than that
interval before the present time, then the user is prohibited
from logging in. (Fields checked are uflg->fg_slogin,
ufld->fd_slogin, uflg->fg_max_login_int,
ufld->fd_max_login_int, and the vacationing checks above.)
If break-in evasion is enabled for the profile with a nonzero
value for the maximum allowed unsuccessful attempts
(uflg->fg_max_tries, ufld->fd_max_tries,
sflg->fg_max_tries, sfld->fd_max_tries), and if there have
been at least that many consecutive unsuccessful login
attempts recorded for the account (uflg->fg_nlogins,
ufld->fd_nlogins), then the user may be prohibited from
logging in. If there is no last unsuccessful login time
recorded (uflg->fg_ulogin) or if there is no unlock interval
for the account (uflg->fg_unlockint, ufld->fd_unlockint,
sflg->fg_unlockint, sfld->fd_unlockint), the user is
prohibited from logging in. If there is a non-zero unlock
interval and a last unsuccessful login time has been
recorded, but adding the unlock interval to the last
unsuccessful login time produces a value which is greater
than the current time, then the user is prohibited from
logging in. If the fd_skip_slogin_log system defaults
field is set, then an account is not locked out based on
any maximum login interval that may be set for the
account. If the system defaults field fd_skip_flogin_log
is set, then an account is not locked out based on
attempted failures.
If the profile is marked as being locked by the system
administrator, then the user is prohibited from logging
in. (Fields checked are uflg->fg_lock, ufld->fd_lock,
sflg->fg_lock, sfld->fd_lock.)
If none of these checks indicates that the user is locked
out, a value of 0 is returned.
The attempt to execute an audgenl() call is contingent
upon the AUTH_LOCK_OUT_AUD_FLAG from the flags argument.
That is, if someone sets the AUTH_LOCK_OUT_AUD_FLAG bit in
the flags argument and supplies a zero (0) as the first
parameter after flags, then the audgenl() call is not
made. In order to quickstart a program, the program must
be linked as follows: -lsecurity -ldb -laud -lm See the
shared library discussion in the Programmer's Guide for
more information about using the quickstarting feature.
When locked_out_acct_es() returns 1 to indicate that the
user is locked out, it also attempts to make an audit
entry with audgenl() to indicate that fact. The old
locked_out_es() now calls locked_out_acct_es() passing
prpwd as well as a pointer to an es_default struct. The
call is made as follows: return locked_out_acct_es(prpwd,
dfp, 0);
A return of 1 indicates that the password management values
for this profile keep the associated user from logging
in at the current time. A return of 0 indicates that the
password management values for this profile do not prevent
the associated user from logging in.
getespwent(3), getesdfent(3), audgenl(3), dxaccounts(8X)
Security
locked_out_acct_es(3)
[ Back ] |
