Secure Global Desktop 4.40 Administration Guide > Users and Authentication > Denying Users Access to SGD After Failed Login Attempts
By enabling a login failure handler, Administrators can deny users access to SGD after three failed login attempts. This additional security measure only works if users have user profile objects in the local repository (that is, their user profile in not a default profile object in the System Objects organization).
To enable the login failure handler, use the following command:
$ tarantella config edit \ --tarantella-config-components-loginfailurehandler 1 \ --tarantella-config-components-loginfailurefilter 1
If you enable the login failure handler and a user does not have a user profile in the local repository, they can still log in to SGD.
The number of login attempts is local to each SGD server and is not copied across the array. Only when the login limit is reached on a server, is the user denied access across the array. For example, a user could try to log in on each SGD server two times, but only when they fail for the third time on a server are they denied access to the other members of the array.
If a user is denied access, they are only denied access to SGD. They are not denied access to the host on which SGD is installed
When a user is denied access, SGD deselects the Login check box on the General tab (--enabled false
) for the user profile object in the SGD Administration Console. To give a user access again, you must select the check box (--enabled true
).
For security reasons, users are not given any indication that their account is disabled. They see the same message as if they had typed an incorrect password.
The number of login attempts users get is configurable. To change the number of login attempts:
Use the following command:
# tarantella config edit \ --com.sco.tta.server.login.LoginFailureHandler.properties-attemptsallowed number
Use the following command:
# tarantella restart --warm
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.