 |
Index for Section 3 |
|
 |
Alphabetical listing for L |
|
locked_out_es(3)
NAME
locked_out_es - determine if password-management disallows user login
(Enhanced Security)
LIBRARY
Security Library (libsecurity.so)
SYNOPSIS
#include <prot.h>
int locked_out_es(
struct es_passwd *prpwd);
PARAMETERS
prpwd
Specifies a pointer to an extended profile structure.
DESCRIPTION
The locked_out_es() function determines whether the password management
values for an extended profile prohibit the user from logging in. This
routine is called as part of the login processing under ENHANCED security.
If the current time falls within the grace limit parameter (uflg-
>fg_grace_limit and ufld->fd_grace_limit), then access is allowed.
Otherwise, the following values are checked.
If the profile has vacation information set (uflg->fg_vac_start and uflg-
>fg_vac_end and ufld->fd_vac_start and ufld->fd_vac_end), and the fields
are valid (both fd_vac_start and fd_vac_end are non-zero, and the start
time is less than the end time), and the current time is during the
vacation period, then the user is prohibited from logging in.
If the profile has valid vacation information set, and that vacation is now
over, some adjustments are made to other time intervals which get checked.
If the last successful password change was before that vacation, then the
password lifetime check is extended by the duration of the user's vacation.
If the last successful login was before that vacation, then the maximum
login interval checked below is extended by the length of the vacation.
If the user's password has not been changed successfully for a long enough
time that it has passed its lifetime (which may be adjusted for comparison
purposes as described above for the vacation handling), and it is not a
null password, then the user is prohibited from logging in. (Fields
checked are uflg->fg_encrypt, ufld->fd_encrypt, uflg->fg_schange, ufld-
>fd_schange, uflg->fg_lifetime, ufld->fd_lifetime, sflg->fg_lifetime,
sfld->fd_lifetime, in addition to the vacationing checks above.)
If the profile is marked with a maximum login interval (also known as
minimum login frequency), and if the last successful login time recorded
(possibly adjusted by the vacation handling described above) is more than
that interval before the present time, then the user is prohibited from
logging in. (Fields checked are uflg->fg_slogin, ufld->fd_slogin, uflg-
>fg_max_login_int, ufld->fd_max_login_int, and the vacationing checks
above.)
If break-in evasion is enabled for the profile with a non-zero value for
the maximum allowed unsuccessful attempts (uflg->fg_max_tries, ufld-
>fd_max_tries, sflg->fg_max_tries, sfld->fd_max_tries), and if there have
been at least that many consecutive unsuccessful login attempts recorded
for the account (uflg->fg_nlogins, ufld->fd_nlogins), then the user may be
prohibited from logging in. If there is no last unsuccessful login time
recorded (uflg->fg_ulogin) or if there is no unlock interval for the
account (uflg->fg_unlockint, ufld->fd_unlockint, sflg->fg_unlockint, sfld-
>fd_unlockint), the user is prohibited from logging in. If there is a
non-zero unlock interval and a last unsuccessful login time has been
recorded, but adding the unlock interval to the last unsuccessful login
time produces a value which is greater than the current time, then the user
is prohibited from logging in.
If the profile is marked as being locked by the system administrator, then
the user is prohibited from logging in. (Fields checked are uflg->fg_lock,
ufld->fd_lock, sflg->fg_lock, sfld->fd_lock.)
If none of these checks indicates that the user is locked out, a value of 0
is returned.
RETURN VALUES
A return of 1 indicates that the password management values for this
profile keep the associated user from logging in at the current time. A
return of 0 indicates that the password management values for this profile
do not prevent the associated user from logging in.
NOTES
When locked_out_es() returns 1 to indicate that the user is locked out, it
also attempts to make an audit entry with audgenl() to indicate that fact.
In order to quickstart a program, the program must be linked as follows:
-lsecurity -ldb -laud -lm
See the shared library discussion in the Programmer's Guide for more
information about using the quickstarting feature.
RELATED INFORMATION
getespwent(3), getesdfent(3), audgenl(3), dxaccounts(8X)
Security