HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
s
security(4) security(4)
userdbset -d -u username auth_failures
AUTH_MAXTRIES=0
Any number of authentication retries is allowed.
AUTH_MAXTRIES=
N An account is locked after N+1 consecutive authentication
failures. N can be any positive integer.
Default value:
AUTH_MAXTRIES=0
BOOT_AUTH
This attribute controls whether authentication is required to boot the system into sin-
gle user mode. If enabled, the system cannot be booted into single user mode until
the password of an authorized user is provided.
This attribute does not apply to trusted systems. However, if boot authentication is
enabled on a standard system, then when the system is converted to a trusted system,
boot authentication will also be enabled as default for the trusted system.
BOOT_AUTH=0 Boot authentication is turned OFF.
BOOT_AUTH=1 Boot authentication is turned ON.
Default value: BOOT_AUTH=0
BOOT_USERS
This attribute defines the names of users who are authorized to boot the system into
single user mode from the console. Names are separated by a comma (,). It only
takes effect when boot authentication is enabled. Refer to the description of the
BOOT_AUTH attribute.
The BOOT_USERS attribute does not apply to trusted systems. However, when a
standard system is converted to a trusted system, this information is translated.
For example:
BOOT_USERS=mary,jack
Other than the root user, user mary or jack can also boot the system into single
user mode from the console.
Default value: BOOT_USERS=root
DISPLAY_LAST_LOGIN
This attribute controls whether a successful login displays the date, time and origin of
the last successful login and the last authentication failure. Times are displayed using
the system’s time zone. See the discussion of time zones in the Notes section. This
attribute does not apply to trusted systems. This attribute is supported for users in
all name server switch repositories, such as local, NIS and LDAP. This attribute is
enforced in the
pam_hpsec service module, and requires that the pam_hpsec
module be configured in /etc/pam.conf
. See pam_hpsec(5). The system-wide
default defined here may be overridden by defining a per-user value in
/var/adm/userdb (described in userdb(4)).
DISPLAY_LAST_LOGIN=0
Information is not displayed.
DISPLAY_LAST_LOGIN=1
Information is displayed.
Default value:
DISPLAY_LAST_LOGIN=1
INACTIVITY_MAXDAYS
This attribute controls whether an account is locked if there have been no logins to the
account for a specified time interval. It does not apply to trusted systems. This attri-
bute is supported only for non-root users managed by pam_unix (described in
pam_unix(5)); this typically includes local and NIS users. In most cases this attribute
can be enforced only as a system-wide default, however, for local users on a shadow
password system, the system-wide default defined here in
/etc/default/security may be overridden by defining a per-user value in the
inactivity field of /etc/shadow with either one of these commands:
useradd -f inactive_maxdays
usermod -f inactive_maxdays
When an account has been locked due to this feature, root can unlock the account by
this command:
HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 413