 |
Index for
Section 3 |
|
 |
Alphabetical
listing for L |
|
 |
Bottom of
page |
|
locked_out_acct_es(3)
NAME
locked_out_acct_es, locked_out_es - determine if password-management
disallows user login (Enhanced Security)
SYNOPSIS
#include <prot.h>
int locked_out_acct_es(
struct es_passwd *prpwd,
struct es_default *dfp,
int flags,
... );
int locked_out_acct_es(
struct es_passwd *prpwd );
LIBRARY
Security Library - libsecurity.so
PARAMETERS
prpwd
Specifies a pointer to an extended profile structure.
dfp Specifies a pointer to the defaults database obtained from a
getesdfnam() call.
flags, ...
Mask of bits to enable or disable features within the routine. This is
intended to allow expansion within the locked_out_acct_es() the routine
for more options. The values in the variable argument are based on the
sequential order of the flags used and the type represented by the
flag.
Currently supported flags are:
AUTH_LOCKED_OUT_AUD_FLAG(0x001)
A value of 0 indicates that the caller wishes to NOT audit the
account locked out event. Other values create the event. Type is
int.
DESCRIPTION
The locked_out_acct_es() function determines whether the password
management values for an extended profile prohibit the user from logging
in. This routine is called as part of the login processing under enhanced
security.
If the flags field is non zero, locked_out_acct_es() uses the mask in the
flags field to sequentially check the presence of the specified flags and
retrieve the value of each from the variable argument list. For example, if
the AUTH_LOCKED_OUT_AUD_FLAG bit is set, then the first variable parameter
is read as an 'int' and will be used as described above.
If the current time falls within the grace limit parameter (uflg-
>fg_grace_limit and ufld->fd_grace_limit), then access is allowed.
Otherwise, the following values are checked.
If the profile has vacation information set (uflg->fg_vac_start and uflg-
>fg_vac_end and ufld->fd_vac_start and ufld->fd_vac_end), and the fields
are valid (both fd_vac_start and fd_vac_end are non-zero, and the start
time is less than the end time), and the current time is during the
vacation period, then the user is prohibited from logging in.
If the profile has valid vacation information set, and that vacation is now
over, some adjustments are made to other time intervals which get checked.
If the last successful password change was before that vacation, then the
password lifetime check is extended by the duration of the user's vacation.
If the last successful login was before that vacation, then the maximum
login interval checked below is extended by the length of the vacation.
If the user's password has not been changed successfully for a long enough
time that it has passed its lifetime (which may be adjusted for comparison
purposes as described above for the vacation handling), and it is not a
null password, then the user is prohibited from logging in. (Fields
checked are uflg->fg_encrypt, ufld->fd_encrypt, uflg->fg_schange, ufld-
>fd_schange, uflg->fg_lifetime, ufld->fd_lifetime, sflg->fg_lifetime,
sfld->fd_lifetime, in addition to the vacationing checks above.)
If the profile is marked with a maximum login interval (also known as
minimum login frequency), and if the last successful login time recorded
(possibly adjusted by the vacation handling described above) is more than
that interval before the present time, then the user is prohibited from
logging in. (Fields checked are uflg->fg_slogin, ufld->fd_slogin, uflg-
>fg_max_login_int, ufld->fd_max_login_int, and the vacationing checks
above.)
If break-in evasion is enabled for the profile with a non-zero value for
the maximum allowed unsuccessful attempts (uflg->fg_max_tries, ufld-
>fd_max_tries, sflg->fg_max_tries, sfld->fd_max_tries), and if there have
been at least that many consecutive unsuccessful login attempts recorded
for the account (uflg->fg_nlogins, ufld->fd_nlogins), then the user may be
prohibited from logging in. If there is no last unsuccessful login time
recorded (uflg->fg_ulogin) or if there is no unlock interval for the
account (uflg->fg_unlockint, ufld->fd_unlockint, sflg->fg_unlockint, sfld-
>fd_unlockint), the user is prohibited from logging in. If there is a
non-zero unlock interval and a last unsuccessful login time has been
recorded, but adding the unlock interval to the last unsuccessful login
time produces a value which is greater than the current time, then the user
is prohibited from logging in. If the fd_skip_slogin_log system defaults
field is set, then an account is not locked out based on any maximum login
interval that may be set for the account. If the system defaults field
fd_skip_flogin_log is set, then an account is not locked out based on
attempted failures.
If the profile is marked as being locked by the system administrator, then
the user is prohibited from logging in. (Fields checked are uflg->fg_lock,
ufld->fd_lock, sflg->fg_lock, sfld->fd_lock.)
If none of these checks indicates that the user is locked out, a value of 0
is returned.
NOTES
1. The attempt to execute an audgenl() call is contingent upon the
AUTH_LOCK_OUT_AUD_FLAG from the flags argument. That is, if someone
sets the AUTH_LOCK_OUT_AUD_FLAG bit in the flags argument and supplies
a zero (0) as the first parameter after flags, then the audgenl() call
is not made.
2. In order to quickstart a program, the program must be linked as
follows: -lsecurity -ldb -laud -lm See the shared library discussion
in the Programmer's Guide for more information about using the
quickstarting feature.
3. When locked_out_acct_es() returns 1 to indicate that the user is
locked out, it also attempts to make an audit entry with audgenl() to
indicate that fact.
4. The old locked_out_es() now calls locked_out_acct_es() passing prpwd
as well as a pointer to an es_default struct. The call is made as
follows: return locked_out_acct_es(prpwd, dfp, 0);
RETURN VALUES
A return of 1 indicates that the password management values for this
profile keep the associated user from logging in at the current time. A
return of 0 indicates that the password management values for this profile
do not prevent the associated user from logging in.
SEE ALSO
getespwent(3), getesdfent(3), audgenl(3), dxaccounts(8X)
Security
|
Index for
Section 3 |
|
|
Alphabetical
listing for L |
|
 |
Top of
page |
|