| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
Controlling System Access (Task Map)
Securing Logins and Passwords (Tasks)
Securing Logins and Passwords (Task Map)
How to Change the root Password
How to Display a User's Login Status
How to Display Users Without Passwords
How to Temporarily Disable User Logins
Changing the Default Algorithm for Password Encryption (Tasks)
How to Specify an Algorithm for Password Encryption
How to Specify a New Password Algorithm for an NIS Domain
How to Specify a New Password Algorithm for an LDAP Domain
Monitoring and Restricting Superuser (Tasks)
How to Monitor Who Is Using the su Command
How to Restrict and Monitor Superuser Logins
Controlling Access to System Hardware (Tasks)
How to Require a Password for Hardware Access
How to Disable a System's Abort Sequence
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Network Services Authentication (Tasks)
17. Using Secure Shell (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
You can limit remote logins, require users to have passwords, and require the root account to have a complex password. You can also monitor failed access attempts and disable logins temporarily.
The following task map points to procedures that monitor user logins and that disable user logins.
|
When you change the root password, you must comply with the password requirements that apply to all users of the system.
Before You Begin
You must be in the root role.
# passwd root New Password: Re-enter new Password: passwd: password successfully changed for root
A message prints to the screen if your password does not conform to requirements. The messages are informative. After three attempts, you must run the command again to change the password.
passwd: Password too short - must be at least 6 characters. passwd: The password must contain at least 2 alphabetic character(s). passwd: The password must contain at least 1 numeric or special character(s).
Before You Begin
You must be in the root role.
# logins -x -l username
Displays an extended set of login status information.
Displays the login status for the specified user. The variable username is a user's login name. Multiple login names are separated by commas.
The logins command uses the appropriate password database to obtain a user's login status. The database can be the local /etc/passwd file, or a password database for the naming service. For more information, see the logins(1M) man page.
Example 3-1 Displaying a User's Login Status
In the following example, the login status for the user jdoe is displayed.
# logins -x -l jdoe
jdoe 500 staff 10 Jaylee Jaye Doe
/home/jdoe
/bin/bash
PS 010103 10 7 -1Identifies the user's login name.
Identifies the user ID (UID).
Identifies the user's primary group.
Identifies the group ID (GID).
Identifies the comment.
Identifies the user's home directory.
Identifies the login shell.
Specifies the password aging information:
Last date that the password was changed
Number of days that are required between changes
Number of days before a change is required
Warning period
Before You Begin
You must be in the root role.
# logins -p
The -p option displays a list of users with no passwords. The logins command uses the passwd database from the local system unless a distributed naming service is specified in the nsswitch.conf file.
Example 3-2 Displaying Users Without Passwords
In the following example, the user pmorph does not have a password.
# logins -p pmorph 501 other 1 Polly Morph #
Temporarily disable user logins during system shutdown or routine maintenance. Superuser logins are not affected. For more information, see the nologin(4) man page.
Before You Begin
You must be in the root role.
# vi /etc/nologin
Example 3-3 Disabling User Logins
In this example, users are notified of system unavailability.
# vi /etc/nologin (Add system message here) # cat /etc/nologin ***No logins permitted.*** ***The system will be unavailable until 12 noon.***
You can also bring the system to run level 0, single-user mode, to disable logins. For information about bringing the system to single-user mode, see Chapter 3, Shutting Down a System (Tasks), in Booting and Shutting Down Oracle Solaris on x86 Platforms.
This procedure captures failed login attempts from terminal windows. This procedure does not capture failed logins from a desktop login attempt.
Before You Begin
You must be in the root role.
# touch /var/adm/loginlog
# chmod 600 /var/adm/loginlog
# chgrp sys /var/adm/loginlog
For example, log in to the system five times with the wrong password. Then, display the /var/adm/loginlog file.
# more /var/adm/loginlog jdoe:/dev/pts/2:Tue Nov 4 10:21:10 2010 jdoe:/dev/pts/2:Tue Nov 4 10:21:21 2010 jdoe:/dev/pts/2:Tue Nov 4 10:21:30 2010 jdoe:/dev/pts/2:Tue Nov 4 10:21:40 2010 jdoe:/dev/pts/2:Tue Nov 4 10:21:49 2010 #
The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, no failed attempts are logged.
A growing loginlog file can indicate an attempt to break into the computer system. Therefore, check and clear the contents of this file regularly. For more information, see the loginlog(4) man page.
This procedure captures in a syslog file all failed login attempts.
Before You Begin
You must be in the root role.
Edit the /etc/default/login file to change the entry. Make sure that SYSLOG=YES is uncommented.
# grep SYSLOG /etc/default/login # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used SYSLOG=YES # The SYSLOG_FAILED_LOGINS variable is used to determine how many failed #SYSLOG_FAILED_LOGINS=5 SYSLOG_FAILED_LOGINS=0 #
# touch /var/adm/authlog
# chmod 600 /var/adm/authlog
# chgrp sys /var/adm/authlog
Send the failures to the authlog file.
For example, as an regular user, log in to the system with the wrong password. Then, as superuser, display the /var/adm/authlog file.
# more /var/adm/authlog Nov 4 14:46:11 example1 login: [ID 143248 auth.notice] Login failure on /dev/pts/8 from example2, stacey #
Example 3-4 Logging Access Attempts After Three Login Failures
Follow the preceding procedure, except set the value of SYSLOG_FAILED_LOGINS to 3 in the /etc/default/login file.
Example 3-5 Closing Connection After Three Login Failures
Uncomment the RETRIES entry in the /etc/default/login file, then set the value of RETRIES to 3. Your edits take effect immediately. After three login retries in one session, the system closes the connection.
|