Securing Logins and Passwords
This section describes how to control and monitor logins.
How to Display a User's Login Status
-
Display a user's login status by using the logins command.
# logins -x -l username
-x
Displays an extended set of login status information.
-l username
Displays the login status for the specified user. username is a user's login name. Multiple login names must be specified in a comma-separated list.
The logins command uses the appropriate password file to obtain a user's login status. The file can be the local /etc/passwd file , or a password database for the name service. For more information, see the logins(1M) man page.
Example—Displaying a User's Login Status
In the following example, the login status for the user rimmer is displayed.
# logins -x -l rimmer
rimmer 500 staff 10 Annalee J. Rimmer
/export/home/rimmer
/bin/sh
PS 010170 10 7 -1
|
How to Display Users Without Passwords
-
Become superuser or assume an equivalent role.
-
Display all users who have no passwords by using the logins command.
# logins -p
The -p option displays a list of users with no passwords. The logins command can use the password databases on the local machine and on the network. The command can use the local /etc/passwd file. The command can use the password databases for the name services to obtain a user's login status.
Example—Displaying Users Without Passwords
The following example shows that the user pmorph does not have a password.
# logins -p pmorph 501 other 1 Polly Morph # |
How to Temporarily Disable User Logins
-
Become superuser or assume an equivalent role.
-
Create the /etc/nologin file by using an editor.
# vi /etc/nologin
-
Include a message about system availability.
-
Close and save the file.
Create this file to disallow user logins during system shutdown or routine maintenance. If a user attempts to log in to a system where the nologin file exists, the contents of this file are displayed. Then, the user login is terminated.
Superuser logins are not affected. For more information, see the nologin(4) man page.
Example—Disabling User Logins
This example shows how to notify users of system unavailability.
# vi /etc/nologin (Add system message here) # cat /etc/nologin ***No logins permitted.*** ***The system will be unavailable until 12 noon.*** |
You can also bring the system to run level 0, single-user mode. For information on bringing the system to single-user mode, see “Shutting Down a System (Tasks)” in System Administration Guide: Basic Administration.
How to Save Failed Login Attempts
-
Create the loginlog file in the /var/adm directory.
# touch /var/adm/loginlog
-
Set read and write permissions for root on the loginlog file.
# chmod 600 /var/adm/loginlog
-
Change group membership to sys on the loginlog file.
# chgrp sys /var/adm/loginlog
-
Make sure that the log works by attempting to log into the system five times with the wrong password. Then, display the /var/adm/loginlog file.
# more /var/adm/loginlog rimmer:/dev/pts/1:Wed Jan 16 09:22:31 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:39 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:45 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:53 2002 rimmer:/dev/pts/1:Wed Jan 16 09:23:01 2002 #
The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, no failed attempts are logged.
The loginlog file might grow quickly. To use this file in a timely manner, you should check and clear its contents occasionally. A loginlog file that shows a lot of activity can indicate an attempt to break into the computer system. For more information, see the loginlog(4) man page.
How to Create a Dial-up Password
Caution – When you first establish a dial-up password, be sure to remain logged in to at least one port. Test the password on a different port. If you log off to test the new password, you might not be able to log back on. If you are still logged in to another port, you can go back and fix your mistake.
-
Become superuser or assume an equivalent role.
-
Create an /etc/dialups file that contains a list of serial devices. Include all the ports that are being protected with dial-up passwords.
The /etc/dialups file should look like the following:
/dev/term/a /dev/term/b /dev/term/c
-
Create an /etc/d_passwd file that contains the login programs that you are requiring to have a dial-up password.
Include shell programs that a user could be running at login, for example, uucico, sh, ksh, and csh. The /etc/d_passwd file should look like the following:
/usr/lib/uucp/uucico:encrypted-password: /usr/bin/csh:encrypted-password: /usr/bin/ksh:encrypted-password: /usr/bin/sh:encrypted-password:
You are going to add the encrypted password for each login program later in the procedure.
-
Set ownership to root on the two files.
# chown root /etc/dialups /etc/d_passwd
-
Set group ownership to root on the two files.
# chgrp root /etc/dialups /etc/d_passwd
-
Set read and write permissions for root on the two files.
# chmod 600 /etc/dialups /etc/d_passwd
-
Create the encrypted passwords.
-
Create a temporary user.
# useradd username
-
Create a password for the temporary user.
# passwd username
-
Capture the encrypted password.
# grep username /etc/shadow > username.temp
-
Edit the username.temp file.
Delete all fields except the encrypted password. The second field holds the encrypted password.
For example, in the following line, the encrypted password is U9gp9SyA/JlSk.
temp:U9gp9SyA/JlSk:7967:::::7988:
-
Delete the temporary user.
# userdel username
-
-
Copy the encrypted password from username.temp file into the /etc/d_passwd file.
You can create a different password for each login shell, or use the same password for each login shell.
-
Inform your dial-up users of the password.
You should ensure that your means of informing the users cannot be tampered with.
How to Temporarily Disable Dial-up Logins
- © 2010, Oracle Corporation and/or its affiliates