Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
Controlling System Access (Task Map)
Securing Logins and Passwords (Task Map)
How to Display a User's Login Status
How to Display Users Without Passwords
How to Temporarily Disable User Logins
How to Monitor Failed Login Attempts
How to Monitor All Failed Login Attempts
Changing the Password Algorithm (Task Map)
Changing the Default Algorithm for Password Encryption
How to Specify an Algorithm for Password Encryption
How to Specify a New Password Algorithm for an NIS Domain
How to Specify a New Password Algorithm for an LDAP Domain
Monitoring and Restricting Superuser (Task Map)
Monitoring and Restricting Superuser
How to Monitor Who Is Using the su Command
How to Restrict and Monitor Superuser Logins
SPARC: Controlling Access to System Hardware (Task Map)
Controlling Access to System Hardware
How to Require a Password for Hardware Access
How to Disable a System's Abort Sequence
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
You can limit remote logins and require users to have passwords. You can also monitor failed access attempts and disable logins temporarily.
For more information, see How to Obtain Administrative Rights.
# logins -x -l username
Displays an extended set of login status information.
Displays the login status for the specified user. The variable username is a user's login name. Multiple login names are separated by commas.
The logins command uses the appropriate password database to obtain a user's login status. The database can be the local /etc/passwd file, or a password database for the naming service. For more information, see the logins(1M) man page.
Example 3-1 Displaying a User's Login Status
In the following example, the login status for the user rimmer is displayed.
# logins -x -l jdoe jdoe 500 staff 10 Jaylee Jaye Doe /home/jdoe /bin/bash PS 010103 10 7 -1
Identifies the user's login name.
Identifies the user ID (UID).
Identifies the user's primary group.
Identifies the group ID (GID).
Identifies the comment.
Identifies the user's home directory.
Identifies the login shell.
Specifies the password aging information:
Last date that the password was changed
Number of days that are required between changes
Number of days before a change is required
Warning period
For more information, see How to Obtain Administrative Rights.
# logins -p
The -p option displays a list of users with no passwords. The logins command uses the password database from the local system unless a naming service is enabled.
Example 3-2 Displaying Users Without Passwords
In the following example, the user pmorph does not have a password.
# logins -p pmorph 501 other 1 Polly Morph #
Temporarily disable user logins during system shutdown or routine maintenance. Superuser logins are not affected. For more information, see the nologin(4) man page.
For more information, see How to Obtain Administrative Rights.
# vi /etc/nologin
Example 3-3 Disabling User Logins
In this example, users are notified of system unavailability.
# vi /etc/nologin (Add system message here) # cat /etc/nologin ***No logins permitted.*** ***The system will be unavailable until 12 noon.***
You can also bring the system to run level 0, single-user mode, to disable logins. For information on bringing the system to single-user mode, see Chapter 10, Shutting Down a System (Tasks), in System Administration Guide: Basic Administration.
This procedure captures failed login attempts from terminal windows. This procedure does not capture failed logins from a desktop login attempt.
For more information, see How to Obtain Administrative Rights.
# touch /var/adm/loginlog
# chmod 600 /var/adm/loginlog
# chgrp sys /var/adm/loginlog
For example, log in to the system five times with the wrong password. Then, display the /var/adm/loginlog file.
# more /var/adm/loginlog jdoe:/dev/pts/2:Tue Nov 4 10:21:10 2010 jdoe:/dev/pts/2:Tue Nov 4 10:21:21 2010 jdoe:/dev/pts/2:Tue Nov 4 10:21:30 2010 jdoe:/dev/pts/2:Tue Nov 4 10:21:40 2010 jdoe:/dev/pts/2:Tue Nov 4 10:21:49 2010 #
The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, no failed attempts are logged.
A growing loginlog file can indicate an attempt to break into the computer system. Therefore, check and clear the contents of this file regularly. For more information, see the loginlog(4) man page.
This procedure captures in a syslog file all failed login attempts.
For more information, see How to Obtain Administrative Rights.
Edit the /etc/default/login file to change the entry. Make sure that SYSLOG=YES is uncommented.
# grep SYSLOG /etc/default/login # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used SYSLOG=YES # The SYSLOG_FAILED_LOGINS variable is used to determine how many failed #SYSLOG_FAILED_LOGINS=5 SYSLOG_FAILED_LOGINS=0 #
# touch /var/adm/authlog
# chmod 600 /var/adm/authlog
# chgrp sys /var/adm/authlog
Send the failures to the authlog file.
For example, as an ordinary user, log in to the system with the wrong password. Then, as superuser, display the /var/adm/authlog file.
# more /var/adm/authlog Nov 4 14:46:11 example1 login: [ID 143248 auth.notice] Login failure on /dev/pts/8 from example2, stacey #
Example 3-4 Logging Access Attempts After Three Login Failures
Follow the preceding procedure, except set the value of SYSLOG_FAILED_LOGINS to 3 in the /etc/default/login file.
Example 3-5 Closing Connection After Three Login Failures
Uncomment the RETRIES entry in the /etc/default/login file, then set the value of RETRIES to 3. Your edits take effect immediately. After three login retries in one session, the system closes the connection.
Caution - When you first establish a dial-up password, be sure to remain logged in to at least one port. Test the password on a different port. If you log off to test the new password, you might not be able to log back in. If you are still logged in to another port, you can go back and fix your mistake. |
For more information, see How to Obtain Administrative Rights.
Include all the ports that are being protected with dial-up passwords. The /etc/dialups file should appear similar to the following:
/dev/term/a /dev/term/b /dev/term/c
Include shell programs that a user could be running at login, for example, uucico, sh, ksh, bash, and csh. The /etc/d_passwd file should appear similar to the following:
/usr/lib/uucp/uucico:encrypted-password: /usr/bin/csh:encrypted-password: /usr/bin/ksh:encrypted-password: /usr/bin/sh:encrypted-password: /usr/bin/bash:encrypted-password:
Later in the procedure, you are going to add the encrypted password for each login program.
# chown root /etc/dialups /etc/d_passwd
# chgrp root /etc/dialups /etc/d_passwd
# chmod 600 /etc/dialups /etc/d_passwd
# useradd username
# passwd username New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for username
# grep username /etc/shadow > username.temp
Delete all fields except the encrypted password. The second field holds the encrypted password.
For example, in the following line, the encrypted password is U9gp9SyA/JlSk.
temp:U9gp9SyA/JlSk:7967:::::7988:
# userdel username
You can create a different password for each login shell. Alternatively, use the same password for each login shell.
You should ensure that your means of informing the users cannot be tampered with.
For more information, see How to Obtain Administrative Rights.
/usr/bin/sh:*: