|
HP OpenVMS Systemsask the wizard |
|
The Question is: When users log in they have three goes. How can you change it so for certain users they only have one go. The Answer is : Without background around the question, providing a useful answer is difficult. In particular, would a "captive" environment (with or without a password) be appropriate for the particular user(s)? Would the use of double passwords -- two users, each with one of the two passwords needed for a login to a particular username -- solve the particular problem? As for the direct question, the system parameter LGI_RETRY_LIM controls the number of attempts allowed when attempting a login before various actions -- such as dropping a dialup connection -- occur. The default parameter value is 3. There is no mechanism for controlling the login retries on a per-user basis, as there no proof regarding the user until after a successful login. There are ways to customize the login process, via the LGI callout mechanism. That said, varying the behaviour can potentially provide clues to valid usernames, and the use of retry counts in general can be used as part of a denial of service attack. Specialized site-specific code could potentially be added through the existing LGI-callout mechanism (see the utility routines documentation), but this approach is a rather burdensome task for an area such as pre-authentication identity, and this whole area is fraught with approximation. You could also use the "restricted" option -- with no password -- and provide your own (carefully crafted) checks in the system-wide or user-specific login procedure. (This has the problem of bypassing all of the usual evasion and auditing and control mechanisms, and -- if not implemented carefully -- can potentially compromise security. Though so can a poorly-written LGI callout module, of course...)
|