locked_out_acct_es(3)locked_out_acct_es(3)NAME
locked_out_acct_es, locked_out_es - determine if password-management
disallows user login (Enhanced Security)
SYNOPSIS
#include <prot.h>
int locked_out_acct_es(
struct es_passwd *prpwd,
struct es_default *dfp,
int flags,
... ); int locked_out_acct_es(
struct es_passwd *prpwd );
LIBRARY
Security Library - libsecurity.so
PARAMETERS
Specifies a pointer to an extended profile structure. Specifies a
pointer to the defaults database obtained from a getesdfnam() call.
Mask of bits to enable or disable features within the routine. This is
intended to allow expansion within the locked_out_acct_es() the routine
for more options. The values in the variable argument are based on the
sequential order of the flags used and the type represented by the
flag.
Currently supported flags are: A value of 0 indicates that the
caller wishes to NOT audit the account locked out event. Other
values create the event. Type is int.
DESCRIPTION
The locked_out_acct_es() function determines whether the password man‐
agement values for an extended profile prohibit the user from logging
in. This routine is called as part of the login processing under
enhanced security.
If the flags field is non zero, locked_out_acct_es() uses the mask in
the flags field to sequentially check the presence of the specified
flags and retrieve the value of each from the variable argument list.
For example, if the AUTH_LOCKED_OUT_AUD_FLAG bit is set, then the first
variable parameter is read as an 'int' and will be used as described
above.
If the current time falls within the grace limit parameter
(uflg->fg_grace_limit and ufld->fd_grace_limit), then access is
allowed. Otherwise, the following values are checked.
If the profile has vacation information set (uflg->fg_vac_start and
uflg->fg_vac_end and ufld->fd_vac_start and ufld->fd_vac_end), and the
fields are valid (both fd_vac_start and fd_vac_end are non-zero, and
the start time is less than the end time), and the current time is dur‐
ing the vacation period, then the user is prohibited from logging in.
If the profile has valid vacation information set, and that vacation is
now over, some adjustments are made to other time intervals which get
checked. If the last successful password change was before that vaca‐
tion, then the password lifetime check is extended by the duration of
the user's vacation. If the last successful login was before that
vacation, then the maximum login interval checked below is extended by
the length of the vacation.
If the user's password has not been changed successfully for a long
enough time that it has passed its lifetime (which may be adjusted for
comparison purposes as described above for the vacation handling), and
it is not a null password, then the user is prohibited from logging in.
(Fields checked are uflg->fg_encrypt, ufld->fd_encrypt,
uflg->fg_schange, ufld->fd_schange, uflg->fg_lifetime, ufld->fd_life‐
time, sflg->fg_lifetime, sfld->fd_lifetime, in addition to the vaca‐
tioning checks above.)
If the profile is marked with a maximum login interval (also known as
minimum login frequency), and if the last successful login time
recorded (possibly adjusted by the vacation handling described above)
is more than that interval before the present time, then the user is
prohibited from logging in. (Fields checked are uflg->fg_slogin,
ufld->fd_slogin, uflg->fg_max_login_int, ufld->fd_max_login_int, and
the vacationing checks above.)
If break-in evasion is enabled for the profile with a non-zero value
for the maximum allowed unsuccessful attempts (uflg->fg_max_tries,
ufld->fd_max_tries, sflg->fg_max_tries, sfld->fd_max_tries), and if
there have been at least that many consecutive unsuccessful login
attempts recorded for the account (uflg->fg_nlogins, ufld->fd_nlogins),
then the user may be prohibited from logging in. If there is no last
unsuccessful login time recorded (uflg->fg_ulogin) or if there is no
unlock interval for the account (uflg->fg_unlockint, ufld->fd_unlock‐
int, sflg->fg_unlockint, sfld->fd_unlockint), the user is prohibited
from logging in. If there is a non-zero unlock interval and a last
unsuccessful login time has been recorded, but adding the unlock inter‐
val to the last unsuccessful login time produces a value which is
greater than the current time, then the user is prohibited from logging
in. If the fd_skip_slogin_log system defaults field is set, then an
account is not locked out based on any maximum login interval that may
be set for the account. If the system defaults field fd_skip_flo‐
gin_log is set, then an account is not locked out based on attempted
failures.
If the profile is marked as being locked by the system administrator,
then the user is prohibited from logging in. (Fields checked are
uflg->fg_lock, ufld->fd_lock, sflg->fg_lock, sfld->fd_lock.)
If none of these checks indicates that the user is locked out, a value
of 0 is returned.
NOTES
The attempt to execute an audgenl() call is contingent upon the
AUTH_LOCK_OUT_AUD_FLAG from the flags argument. That is, if someone
sets the AUTH_LOCK_OUT_AUD_FLAG bit in the flags argument and supplies
a zero (0) as the first parameter after flags, then the audgenl() call
is not made. In order to quickstart a program, the program must be
linked as follows: -lsecurity -ldb -laud -lm See the shared library
discussion in the Programmer's Guide for more information about using
the quickstarting feature. When locked_out_acct_es() returns 1 to
indicate that the user is locked out, it also attempts to make an audit
entry with audgenl() to indicate that fact. The old locked_out_es()
now calls locked_out_acct_es() passing prpwd as well as a pointer to an
es_default struct. The call is made as follows: return
locked_out_acct_es(prpwd, dfp, 0);
RETURN VALUES
A return of 1 indicates that the password management values for this
profile keep the associated user from logging in at the current time. A
return of 0 indicates that the password management values for this pro‐
file do not prevent the associated user from logging in.
SEE ALSOgetespwent(3), getesdfent(3), audgenl(3), dxaccounts(8X)
Security
locked_out_acct_es(3)