This document describes two examples of user-defined authentication methods. If these are run as a primary authentication method, they will restrict logins by the root user to a single device while still permitting su access to the root account from another port, or limit the number of concurrent logins allowed per user. This document applies to AIX Version 3.2 and Version 4.x.
User authentication is used to control access to an RS/6000. There are two levels of user authentication in AIX: primary and secondary.
NOTE: A primary authentication method will prevent login access while a secondary method is purely informational and will NOT restrict access.
It is common practice to install site-specific user verification tests as primary and/or secondary authentication methods. Access by login, su, rlogin, telnet are subject to defined primary and secondary authentication methods. rsh, rexec, and ftp are not subject to these methods.
The methods described in this document, if used as primary authentication will restrict root logins to a specific device, or limit the number of concurrent logins allowed on a per user basis.
The following steps describe how to implement the "console-only" authentication as a primary authentication method. (It must run as a primary authentication method to enforce the restriction.) The steps describe how to make the authentication method known to AIX. Modify the root user's profile to invoke the validation routine and compile the "console-only" code.
The module, named console-only.c, determines if a user is signing onto the specified device (the default is the system console) or executing the su command. If either of these conditions are true, the routine returns a status value of zero. Otherwise, it returns a status value of one. If a status value of zero is returned, the login is validated and the user's initial program is executed. Invoke the validation routine, and compile the console-only code.
CONSOLE:
program = /etc/security/console-only
This will make the method known to AIX.
NOTE: The program console-only.c optionally takes one parameter to indicate a particular device to which root access is restricted. To specify a device other than the console, for instance "tty0", modify the CONSOLE stanza as follows:
CONSOLE:
program = "/etc/security/console-only /dev/tty0"
chuser auth1=SYSTEM,CONSOLE root
NOTE: There cannot be any spaces in the comma separated list of primary authentication methods.
NOTE: There cannot be any spaces in the comma separated list of primary authentication methods. Press Enter to commit the change.
cc -o /etc/security/console-only console-only.c
NOTE: Please note that page headers and footers may appear in the code. They should be removed before the code is used.
/*Console-only Root Login Authentication Method
*
* Written By: John F. Haugh,II Date: 18 March 93 */
#include <sys/types.h>
#include <utmp.h>
#include <stdio.h>
#define CONSOLE "/dev/hft/0"
NOTE: For AIX Version 4 replace the preceding line with the following line:
define CONSOLE "/dev/lft0"
/*console-only - TTY Port Access Control Authentication Method
*
* console-only permits root logins on the console device
* (defined with the CONSOLE macro above). It allows su's
from any device. */
main (int argc, char **argv)
{
char *user;
char *console;
char *tty, *ttyname ();
struct utmp utmp, *putmp;
/* Usage is "console-only <user>". This would typically be
* only for root, but we allow other users to use this method. */
if (argc < 2)
exit (1);
user = argv[argc - 1];
/* If there are 3 arguments, #2 is the name of the device. */
if (argc == 2)
console = CONSOLE;
else
console = argv[1];
/* Get the TTY name. */
if ((tty = ttyname (0)) == (char *) 0)
exit (1);
/* Clear the utmp structure so I can fetch this line's utmp
* record. */
memset ((void *) &utmp, 0, sizeof utmp);
strncpy (utmp.ut_line, tty + 5, sizeof utmp.ut_line);
setutent ();
putmp = getutline (&utmp);
/* See if my PPID is the same as the PID in the utmp record.
* That would mean that login is calling me. This is what
* distinguishes between "login" and "su". */
if (putmp == (struct utmp *) 0 || putmp->ut_pid != getppid ())
exit (0);
exit ((strcmp (console, tty) == 0) ? 0:1);
}
In order to limit the number of logins per user, you will have to create a script and update two files: /etc/security/login.cfg and /etc/security/user.
/usr/bin/Block_user *name isn't important, just be consistent
#!/bin/ksh
USER=$1
NUM=`who | grep $USER |cut -c1-8 | wc -l`
#The above ' is not a single quote but back quote (accent)
if [[ $NUM -lt 1 ]]
then
exit 0
fi
echo "permission denied ...$NUM is the limit of logins"
exit 1
Save this file and then change its permissions. Make sure this file is owned by root and does not have write permission for group or other.
chmod 755 /usr/bin/Block_user *make script executable
Add the following lines:
* auth_method:
* program =
Change the lines to look as follows:
auth_method:
program = /usr/bin/Block_user
admin = false login = true su = true daemon = true rlogin = true sugroups = ALL ttys = ALL auth1 = SYSTEM auth2 = NONE tpath = nosak umask = 022 expires = 0 root: admin = true user1: admin = false
Change the auth1 line to:
default: auth1 = SYSTEM,auth_method
This change will affect all users logging into the system.
NOTE: root should be an exception to this default.
For example, root would read:
root: auth1 = SYSTEM
user1: auth1 = SYSTEM,auth_method
user2: auth1 = SYSTEM,auth_method
user2:
The above changes to the individual user stanzas would limit user1 and user2 to the login restrictions defined in the script above.