The Question is:
When users log in they have three goes.
How can you change it so for certain users
they only have one go.
The Answer is :
Without background around the question, providing a useful answer
is difficult. In particular, would a "captive" environment (with
or without a password) be appropriate for the particular user(s)?
Would the use of double passwords -- two users, each with one of
the two passwords needed for a login to a particular username --
solve the particular problem?
As for the direct question, the system parameter LGI_RETRY_LIM controls
the number of attempts allowed when attempting a login before various
actions -- such as dropping a dialup connection -- occur. The default
parameter value is 3.
There is no mechanism for controlling the login retries on a per-user
basis, as there no proof regarding the user until after a successful
There are ways to customize the login process, via the LGI callout
mechanism. That said, varying the behaviour can potentially provide
clues to valid usernames, and the use of retry counts in general can
be used as part of a denial of service attack.
Specialized site-specific code could potentially be added through the
existing LGI-callout mechanism (see the utility routines documentation),
but this approach is a rather burdensome task for an area such as
pre-authentication identity, and this whole area is fraught with
You could also use the "restricted" option -- with no password -- and
provide your own (carefully crafted) checks in the system-wide or
user-specific login procedure. (This has the problem of bypassing
all of the usual evasion and auditing and control mechanisms, and --
if not implemented carefully -- can potentially compromise security.
Though so can a poorly-written LGI callout module, of course...)