Bay Networks 6300 Supplement Manual page 313

Book A
Remote Annex 6300 Supplement to the Remote Annex Administrator's Guide for UNIX
Blacklisting enhances security by limiting the number of passwords an
on-line attacker can try before the user account is automatically disabled.
At this point, no one can log in with the blacklisted user name, even if
someone enters the "correct" password. However, the failed login
message is the same before and after blacklisting, so the user does not
know that the account has been disabled.
The system administrator is informed when blacklisting occurs. First, a
record is created in the ACP log file indicating that the userid has been
blacklisted. This record remains unless and until you delete it manually.
Second, when you invoke the acp_dbm utility, it immediately displays
a warning identifying any blacklisted users. See
the acp_dbm Database
The data necessary for blacklisting is kept in the acp_dbm database,
keyed on the user name. If password history and blacklisting are
configured, this database is created automatically the first time a user
changes passwords or attempts to login and fails. The absence of an
acp_dbm database indicates that no password histories exist and no failed
login attempts have occurred.
Blacklisting makes the RA 6300 susceptible to denial-of-
service attacks. To disable a user account, a saboteur need only
make a few failed login attempts. In the extreme case, a
saboteur who obtains a list of employee user names could create
a shell script that would automatically disable all user login
capabilities.
Chapter 15
on page 15-288.
Using RA 6300 Security
Viewing and Managing
A-285