HP OpenVMS Systems

ask the wizard
Content starts here

Selective login retry limits?

» close window

The Question is:

When users log in they have three goes.
How can you change it so for certain users
they only have one go.

The Answer is :

  Without background around the question, providing a useful answer
  is difficult.  In particular, would a "captive" environment (with
  or without a password) be appropriate for the particular user(s)?
  Would the use of double passwords -- two users, each with one of
  the two passwords needed for a login to a particular username --
  solve the particular problem?
  As for the direct question, the system parameter LGI_RETRY_LIM controls
  the number of attempts allowed when attempting a login before various
  actions -- such as dropping a dialup connection -- occur.  The default
  parameter value is 3.
  There is no mechanism for controlling the login retries on a per-user
  basis, as there no proof regarding the user until after a successful
  There are ways to customize the login process, via the LGI callout
  mechanism.  That said, varying the behaviour can potentially provide
  clues to valid usernames, and the use of retry counts in general can
  be used as part of a denial of service attack.
  Specialized site-specific code could potentially be added through the
  existing LGI-callout mechanism (see the utility routines documentation),
  but this approach is a rather burdensome task for an area such as
  pre-authentication identity, and this whole area is fraught with
  You could also use the "restricted" option -- with no password -- and
  provide your own (carefully crafted) checks in the system-wide or
  user-specific login procedure.  (This has the problem of bypassing
  all of the usual evasion and auditing and control mechanisms, and --
  if not implemented carefully -- can potentially compromise security.
  Though so can a poorly-written LGI callout module, of course...)

answer written or last revised on ( 3-FEB-2000 )

» close window