XYGATE User Authentication Reference Manual
XYPRO Technology Corporation 49 Proprietary and Confidential
Chapter 8. Deciding on Failed-Logon
Consequences
After the criteria are developed and the behavior of permitted logons determined, the
behavior of failed logons can be controlled.
The first step in determining the behavior of failed logons is to determine how many
bad logons constitute a bad logon event. Many users mistype their passwords now
and again so that one or two failed logons before a good logon could be considered a
minor error. On the other hand, at some point the number of failed logons could
indicate a password attack on the system with some malicious party attempting to
guess passwords. The keyword AUTHENTICATE_MAXIMUM_ATTEMPTS defines
how many consecutive failed logons will constitute a bad logon event.
8.1 Keywords
Once a bad logon event occurs, there are two basic manners in which a failed logon
can be handled by the NonStop system. The behavior is determined by Safeguard
global parameters:
• AUTHENTICATE_FAIL_TIMEOUT suspends the requestor logging on for a
specified period of time. After the time passes, normal processing resumes.
• AUTHENTICATE_FAIL_FREEZE freezes the userid being logged into, assuring
that no further attack can proceed. A frozen userid must then be THAWED by the
security administrator before any normal logons can continue.
XUA can be configured to override these values making it possible to exempt
Privileged IDs from the global values. For example, to exempt SUPER.SUPER from
being frozen by bad password attempts while other users’ IDs remain frozen, which
can be done by setting the keyword SUPERSUPEROK to ON.
Refer to the AUTHENTICATE_FAIL_TIMEOUT keyword discussion on page 261 in
Appendix B: “The UAACL File.”
XUA can also be configured to allow specified users to logon to frozen Privileged IDs.
Refer to the FROZEN_OK keyword discussion on page 265.