Who locked my id?

nkamatam · April 15, 2010, 6:01pm

I am running Solaris 10. Occasionally, my id gets loked. I want to know who/which rougue process locked it.
How do I find out?

Thanks,
KNK

vbe · April 16, 2010, 3:54am

What do you call locked?
Is it you cannot connect (but others can at that precise time) with your account, or more you cannot execute anything more like opening a new session or execute a program e.g. vi a file (and again: others can...)

nkamatam · April 16, 2010, 1:07pm

There is a security check put up by the sysadmin. If a user logs on with the incorect password for 5 times in a raw, the password gets locked. The sysadmin should reset it again.
Off late, the id is getting locked often and I suspect an automated job or something rather than a manual attempt.

jim_mcnamara · April 16, 2010, 1:10pm

Question - have ever written any code with an embedded password or given your passwd to another programmer/user?

If you can answer yes, there is your problem.

nkamatam · April 16, 2010, 3:23pm

This in reality is a application id. I just happen to know the password. The application uses this id to ftp files in and out. There are some other FTP jobs too that login using this id.

---------- Post updated 04-17-10 at 12:53 AM ---------- Previous update was 04-16-10 at 10:44 PM ----------

That just makes me think of the password locking (after x invalid attempts) as a bad practice. If I want to bother you, I would type your password wrongly for x times everyday.
Unless there is a way to identify (atleast the originating ip address) of the machine from which wrong attempt has been made, this see this as a bad practice.

bluescreen · April 16, 2010, 4:19pm

I had this problem with DBA's trying to login as "oracle" and fat-fingering the password several times which locks the account. That by itself is not bad ... but ... then the cron jobs for "oracle" stop running and I get paged. So, to prevent this from happening I added the following line in /etc/user_attr:

oracle::::lock_after_retries=no

This prevents the account from being locked if the password is not entered correctly after a few tries. There are security risks in doing this (brute force password guessing among others) so be careful if you implement this method.

HTH

jgt · April 16, 2010, 6:44pm

Another possibility is there is an outside attack on your system by some one who knows a valid user but not the password.
There is usually a record of failed ftp passwords in the syslog file.

adderek · May 29, 2010, 6:32am

Hello,
I am afraid that it might be difficult to solve your problem here.
Your administrator did something - let him work on it... it might be a problem on his side - if not then he should be able to tell you what is happening.
If this is about the connections then your administrator should be able to read the logs (ex. who, when, from where, how, with what user account and password tried to connect) - you should not be allowed to read that as it would be a security issue.
Good luck

nkamatam · May 29, 2010, 10:01am

Even the admin in my case does not know how to find out. Which logs would tell him this information?

adderek · May 31, 2010, 5:16pm

How are you connecting to the server? I hope that it is SSH or something like this. Check /var/log/auth.log. If your admin did something (I mean the thing that blocks your connections) then your admin should have some logs and know the cause why your login was blocked. If not - I would think about another admin....
Good luck