Securing Logins and Passwords

You can limit remote logins and require users to have passwords. You can also monitor failed access attempts and disable logins temporarily.

How to Display a User's Login Status

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Display a user's login status by using the logins command.

   # logins -x -l username

   -x

   Displays an extended set of login status information.

   -l username

   Displays the login status for the specified user. The variable username is a user's login name. Multiple login names must be specified in a comma-separated list.

   The logins command uses the appropriate password database to obtain a user's login status. The database can be the local /etc/passwd file, or a password database for the name service. For more information, see the logins(1M) man page.

Example 3–1 Displaying a User's Login Status

In the following example, the login status for the user rimmer is displayed.

# logins -x -l rimmer
rimmer       500     staff           10   Annalee J. Rimmer
                     /export/home/rimmer
                     /bin/sh
                     PS 010103 10 7 -1

rimmer

Identifies the user's login name.

500

Identifies the user ID (UID).

staff

Identifies the user's primary group.

10

Identifies the group ID (GID).

Annalee J. Rimmer

Identifies the comment.

/export/home/rimmer

Identifies the user's home directory.

/bin/sh

Identifies the login shell.

PS 010170 10 7 -1

Specifies the password aging information:

• Last date that the password was changed

• Number of days that are required between changes

• Number of days before a change is required

• Warning period

How to Display Users Without Passwords

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Display all users who have no passwords by using the logins command.

   # logins -p

   The -p option displays a list of users with no passwords. The logins command uses the password database from the local system unless a name service is enabled.

Example 3–2 Displaying Users Without Passwords

In the following example, the user pmorph does not have a password.

# logins -p
pmorph          501     other           1       Polly Morph
# 

How to Temporarily Disable User Logins

Temporarily disable user logins during system shutdown or routine maintenance. Superuser logins are not affected. For more information, see the nologin(4) man page.

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Create the /etc/nologin file in a text editor.

   # vi /etc/nologin

3. Include a message about system availability.

4. Close and save the file.

Example 3–3 Disabling User Logins

In this example, users are notified of system unavailability.

# vi /etc/nologin
(Add system message here)
 
# cat /etc/nologin 
***No logins permitted.***

***The system will be unavailable until 12 noon.***

You can also bring the system to run level 0, single-user mode, to disable logins. For information on bringing the system to single-user mode, see Chapter 10, Shutting Down a System (Tasks), in System Administration Guide: Basic Administration.

How to Monitor Failed Login Attempts

This procedure captures failed login attempts from terminal windows. This procedure does not capture failed logins from a GNOME login attempt.

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Create the loginlog file in the /var/adm directory.

   # touch /var/adm/loginlog

3. Set read-and-write permissions for root user on the loginlog file.

   # chmod 600 /var/adm/loginlog

4. Change group membership to sys on the loginlog file.

   # chgrp sys /var/adm/loginlog

5. Verify that the log works.

   For example, log in to the system five times with the wrong password. Then, display the /var/adm/loginlog file.

   # more /var/adm/loginlog jdoe:/dev/pts/2:Tue Nov 4 10:21:10 2003 jdoe:/dev/pts/2:Tue Nov 4 10:21:21 2003 jdoe:/dev/pts/2:Tue Nov 4 10:21:30 2003 jdoe:/dev/pts/2:Tue Nov 4 10:21:40 2003 jdoe:/dev/pts/2:Tue Nov 4 10:21:49 2003 #

   The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, no failed attempts are logged.

   A growing loginlog file can indicate an attempt to break into the computer system. Therefore, check and clear the contents of this file regularly. For more information, see the loginlog(4) man page.

How to Monitor All Failed Login Attempts

This procedure captures in a syslog file all failed login attempts.

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Set up the /etc/default/login file with the desired values for SYSLOG and SYSLOG_FAILED_LOGINS

   Edit the /etc/default/login file to change the entry. Make sure that SYSLOG=YES is uncommented.

   # grep SYSLOG /etc/default/login # SYSLOG determines whether the syslog(3) LOG_AUTH facility # should be used SYSLOG=YES … SYSLOG_FAILED_LOGINS=0 #

3. Create a file with the correct permissions to hold the logging information.

   1. Create the authlog file in the /var/adm directory.

      # touch /var/adm/authlog

   2. Set read-and-write permissions for root user on the authlog file.

      # chmod 600 /var/adm/authlog

   3. Change group membership to sys on the authlog file.

      # chgrp sys /var/adm/authlog

4. Edit the syslog.conf file to log failed password attempts.

   The failures should be sent to the authlog file.

   1. Type the following entry into the syslog.conf file.

      Fields on the same line in syslog.conf are separated by tabs.

      auth.notice <Press Tab> /var/adm/authlog

   2. Refresh the configuration information for the syslog daemon.

      # svcadm refresh system/system-log

5. Verify that the log works.

   For example, as an ordinary user, log in to the system with the wrong password. Then, in the Primary Administrator role or as superuser, display the /var/adm/authlog file.

   # more /var/adm/authlog Nov 4 14:46:11 example1 login: [ID 143248 auth.notice] Login failure on /dev/pts/8 from example2, stacey #

6. Monitor the /var/adm/authlog file on a regular basis.

Example 3–4 Logging Access Attempts After Three Login Failures

Follow the preceding procedure, except set the value of SYSLOG_FAILED_LOGINS to 3 in the /etc/default/login file.

Example 3–5 Closing Connection After Three Login Failures

Uncomment the RETRIES entry in the /etc/default/login file, then set the value of RETRIES to 3. Your edits take effect immediately. After three login retries in one session, the system closes the connection.

How to Create a Dial-Up Password

When you first establish a dial-up password, be sure to remain logged in to at least one port. Test the password on a different port. If you log off to test the new password, you might not be able to log back in. If you are still logged in to another port, you can go back and fix your mistake.

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Create an /etc/dialups file that contains a list of serial devices.

   Include all the ports that are being protected with dial-up passwords. The /etc/dialups file should appear similar to the following:

   /dev/term/a /dev/term/b /dev/term/c

3. Create an /etc/d_passwd file that contains the login programs that you are requiring to have a dial-up password.

   Include shell programs that a user could be running at login, for example, uucico, sh, ksh, and csh. The /etc/d_passwd file should appear similar to the following:

   /usr/lib/uucp/uucico:encrypted-password: /usr/bin/csh:encrypted-password: /usr/bin/ksh:encrypted-password: /usr/bin/sh:encrypted-password:

   Later in the procedure, you are going to add the encrypted password for each login program.

4. Set ownership to root on the two files.

   # chown root /etc/dialups /etc/d_passwd

5. Set group ownership to root on the two files.

   # chgrp root /etc/dialups /etc/d_passwd

6. Set read-and-write permissions for root on the two files.

   # chmod 600 /etc/dialups /etc/d_passwd

7. Create the encrypted passwords.

   1. Create a temporary user.

      # useradd username

   2. Create a password for the temporary user.

      # passwd username New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for username

   3. Capture the encrypted password.

      # grep username /etc/shadow > username.temp

   4. Edit the username.temp file.

      Delete all fields except the encrypted password. The second field holds the encrypted password.

      For example, in the following line, the encrypted password is U9gp9SyA/JlSk.

      temp:U9gp9SyA/JlSk:7967:::::7988:

   5. Delete the temporary user.

      # userdel username

8. Copy the encrypted password from username.temp file into the /etc/d_passwd file.

   You can create a different password for each login shell. Alternatively, use the same password for each login shell.

9. Inform your dial-up users of the password.

   You should ensure that your means of informing the users cannot be tampered with.

How to Temporarily Disable Dial-Up Logins

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Put the following single-line entry into the /etc/d_passwd file:

   /usr/bin/sh:*: