locked_out_acct_es man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

locked_out_acct_es(3)					 locked_out_acct_es(3)

       locked_out_acct_es,  locked_out_es  -  determine if password-management
       disallows user login (Enhanced Security)

       #include <prot.h>

       int locked_out_acct_es(
	       struct es_passwd *prpwd,
	       struct es_default *dfp,
	       int flags,
	       ...  ); int locked_out_acct_es(
	       struct es_passwd *prpwd );

       Security Library - libsecurity.so

       Specifies a pointer to an  extended  profile  structure.	  Specifies  a
       pointer	to  the	 defaults  database obtained from a getesdfnam() call.
       Mask of bits to enable or disable features within the routine. This  is
       intended to allow expansion within the locked_out_acct_es() the routine
       for more options. The values in the variable argument are based on  the
       sequential  order  of  the  flags  used and the type represented by the

	      Currently supported flags are: A value of 0 indicates  that  the
	      caller  wishes  to NOT audit the account locked out event. Other
	      values create the event. Type is int.

       The locked_out_acct_es() function determines whether the password  man‐
       agement	values	for an extended profile prohibit the user from logging
       in. This routine is called  as  part  of	 the  login  processing	 under
       enhanced security.

       If  the	flags field is non zero, locked_out_acct_es() uses the mask in
       the flags field to sequentially check the  presence  of	the  specified
       flags  and  retrieve the value of each from the variable argument list.
       For example, if the AUTH_LOCKED_OUT_AUD_FLAG bit is set, then the first
       variable	 parameter  is	read as an 'int' and will be used as described

       If  the	current	 time  falls  within   the   grace   limit   parameter
       (uflg->fg_grace_limit   and   ufld->fd_grace_limit),   then  access  is
       allowed.	 Otherwise, the following values are checked.

       If the profile has vacation  information	 set  (uflg->fg_vac_start  and
       uflg->fg_vac_end	 and ufld->fd_vac_start and ufld->fd_vac_end), and the
       fields are valid (both fd_vac_start and fd_vac_end  are	non-zero,  and
       the start time is less than the end time), and the current time is dur‐
       ing the vacation period, then the user is prohibited from logging in.

       If the profile has valid vacation information set, and that vacation is
       now  over,  some adjustments are made to other time intervals which get
       checked.	 If the last successful password change was before that	 vaca‐
       tion,  then  the password lifetime check is extended by the duration of
       the user's vacation.  If the last  successful  login  was  before  that
       vacation,  then the maximum login interval checked below is extended by
       the length of the vacation.

       If the user's password has not been changed  successfully  for  a  long
       enough  time that it has passed its lifetime (which may be adjusted for
       comparison purposes as described above for the vacation handling),  and
       it is not a null password, then the user is prohibited from logging in.
       (Fields	   checked     are     uflg->fg_encrypt,     ufld->fd_encrypt,
       uflg->fg_schange,  ufld->fd_schange,  uflg->fg_lifetime, ufld->fd_life‐
       time, sflg->fg_lifetime, sfld->fd_lifetime, in addition	to  the	 vaca‐
       tioning checks above.)

       If  the	profile is marked with a maximum login interval (also known as
       minimum login  frequency),  and	if  the	 last  successful  login  time
       recorded	 (possibly  adjusted by the vacation handling described above)
       is more than that interval before the present time, then	 the  user  is
       prohibited  from	 logging  in.	(Fields	 checked  are uflg->fg_slogin,
       ufld->fd_slogin,	 uflg->fg_max_login_int,  ufld->fd_max_login_int,  and
       the vacationing checks above.)

       If  break-in  evasion  is enabled for the profile with a non-zero value
       for the	maximum	 allowed  unsuccessful	attempts  (uflg->fg_max_tries,
       ufld->fd_max_tries,  sflg->fg_max_tries,	 sfld->fd_max_tries),  and  if
       there have been at  least  that	many  consecutive  unsuccessful	 login
       attempts recorded for the account (uflg->fg_nlogins, ufld->fd_nlogins),
       then the user may be prohibited from logging in.	 If there is  no  last
       unsuccessful  login  time  recorded (uflg->fg_ulogin) or if there is no
       unlock interval for the account	(uflg->fg_unlockint,  ufld->fd_unlock‐
       int,  sflg->fg_unlockint,  sfld->fd_unlockint),	the user is prohibited
       from logging in.	 If there is a non-zero unlock	interval  and  a  last
       unsuccessful login time has been recorded, but adding the unlock inter‐
       val to the last unsuccessful login  time	 produces  a  value  which  is
       greater than the current time, then the user is prohibited from logging
       in. If the fd_skip_slogin_log system defaults field  is	set,  then  an
       account	is not locked out based on any maximum login interval that may
       be set for the account.	If  the	 system	 defaults  field  fd_skip_flo‐
       gin_log	is  set,  then an account is not locked out based on attempted

       If the profile is marked as being locked by the	system	administrator,
       then  the  user	is  prohibited	from  logging  in. (Fields checked are
       uflg->fg_lock, ufld->fd_lock, sflg->fg_lock, sfld->fd_lock.)

       If none of these checks indicates that the user is locked out, a	 value
       of 0 is returned.

       The  attempt  to	 execute  an  audgenl()	 call  is  contingent upon the
       AUTH_LOCK_OUT_AUD_FLAG from the flags argument.	That  is,  if  someone
       sets  the AUTH_LOCK_OUT_AUD_FLAG bit in the flags argument and supplies
       a zero (0) as the first parameter after flags, then the audgenl()  call
       is  not	made.	In  order to quickstart a program, the program must be
       linked as follows: -lsecurity -ldb -laud -lm  See  the  shared  library
       discussion  in  the Programmer's Guide for more information about using
       the quickstarting feature.   When  locked_out_acct_es()	returns	 1  to
       indicate that the user is locked out, it also attempts to make an audit
       entry with audgenl() to indicate that fact.   The  old  locked_out_es()
       now calls locked_out_acct_es() passing prpwd as well as a pointer to an
       es_default   struct.   The   call   is	made   as   follows:	return
       locked_out_acct_es(prpwd, dfp, 0);

       A  return  of  1 indicates that the password management values for this
       profile keep the associated user from logging in at the current time. A
       return of 0 indicates that the password management values for this pro‐
       file do not prevent the associated user from logging in.

       getespwent(3), getesdfent(3), audgenl(3), dxaccounts(8X)



List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net