[ Previous | Next | Table of Contents | Index | Library Home |
Legal |
Search ]
Files Reference
Contains configuration
information for login and user authentication.
The
/etc/security/login.cfg file is an ASCII file that contains
stanzas of configuration information for login and user authentication.
Each stanza has a name, followed by a : (colon), that defines its
purpose. Attributes are in the form
Attribute=Value. Each attribute ends
with a new-line character, and each stanza ends with an additional new-line
character. For an example of a stanza, see the "Examples" section.
There are three types of
stanzas:
Port stanzas define the login
characteristics of ports and are named with the full path name of the
port. Each port should have its own separate stanza. Each stanza
has the following attributes:
| herald
| Defines the login message printed when the getty process opens
the port. The default herald is the login prompt.
The value is a character string.
|
| herald2
| Defines the login message printed after a failed login attempt.
The default herald is the login prompt. The value is a
character string.
|
| logindelay
| Defines the delay factor (in seconds) between unsuccessful login
attempts. The value is a decimal integer string. The default
value is 0, indicating no delay between unsuccessful login attempts.
|
| logindisable
| Defines the number of unsuccessful login attempts allowed before the port
is locked. The value is a decimal integer string. The default
value is 0, indicating that the port cannot lock as a result of unsuccessful
login attempts.
|
| logininterval
| Defines the time interval (in seconds) in which the specified
unsuccessful login attempts must occur before the port is locked. The
value is a decimal integer string. The default value is 0.
|
| loginreenable
| Defines the time interval (in minutes) a port is unlocked after a system
lock. The value is a decimal integer string. The default value
is 0, indicating that the port is not automatically unlocked.
|
| logintimes
| Specifies the times, days, or both the user is allowed to access the
system. The value is a comma-separated list of entries of the following
form:
[!]:time-time
-or-
[!]day[-day][:time-time]
-or-
[!]date[-date][:time-time]
The day variable must
be one digit between 0 and 6 that represents one of the days of the
week. A 0 (zero) indicates Sunday and a 6 indicates Saturday.
The time variable is
24-hour military time (1700 is 5:00 p.m.). Leading
zeroes are required. For example, you must enter 0800, not
800. The time variable must be four characters in
length, and there must be a leading colon (:). An entry
consisting of only a time specification applies to every day. The start
hour of a time value must be less than the end hour.
The date variable is a
four digit string in the form mmdd. mm represents
the calendar month and dd represents the day number. For
example 0001 represents January 1. dd may be
00 to indicate the entire month, if the entry is not a range, or
indicating the first or last day of the month depending on whether it appears
as part of the start or end of a range. For example, 0000
indicates the entire month of January. 0600 indicates the
entire month of June. 0311-0500 indicates April 11 through
the last day of June.
Entries in this list specify
times that a user is allowed or denied access to the system. Entries
not preceded by an exclamation point (!) allow access and are
called ALLOW entries. Entries prefixed with an exclamation point
(!) deny access to the system and are called DENY entries.
The ! operator applies to only one entry, not the whole restriction
list. It must appear at the beginning of an entry.
|
| sak_enabled
| Defines whether the secure attention key (SAK) is enabled for the
port. The SAK key is the Ctrl-X, Ctrl-R key sequence. Possible
values for the sak_enabled attribute are:
- true
- SAK processing is enabled, so the key sequence establishes a trusted path
for the port.
- false
- SAK processing is not enabled, so a trusted path cannot be
established. This is the default value.
The sak_enabled stanza can
also be modified to close a potential security exposure that exists when tty
login devices are writable by others; for example, when the tty mode is
0622. If the sak_enabled stanza is set to True, the tty mode
is set to a more restrictive 0600 at login. If the
sak_enabled stanza is set to False (or absent), the tty mode is set
to 0622.
|
| synonym
| Defines other path names for the terminal. This attribute revokes
access to the port and is used only for trusted path processing. The
path names should be device special files with the same major and minor number
and should not include hard or symbolic links. The value is a list of
comma-separated path names.
Synonyms are not
associative. For example, if you specify synonym=/dev/tty0
in the stanza for the /dev/console path name, then the
/dev/tty0 path name is a synonym for the /dev/console
path name. However, the /dev/console path name is not a
synonym for the /dev/tty0 path name unless you specify
synonym=/dev/console in the stanza for the /dev/tty0
path name.
|
These stanzas define the
authentication methods for users assigned in the /etc/security/user
file. The name of each stanza must be identical to one of the methods
defined by the auth1 or the auth2 attribute in the
/etc/security/user file.
Each stanza has one
attribute:
| program
| Contains the full path name of a program that provides primary or
secondary authentication for a user. Program flags and parameters may
be included.
|
Since the SYSTEM authentication
method is supported directly by the login command and the
su command, and the NONE method does not provide any
authentication, neither requires definition. However, all other
authentication methods must be defined in this file. Different
authentication methods can be defined for each user.
User-configuration stanzas
provide configuration information for programs that change user
attributes. There is one user-configuration stanza:
usw.
Note:
Password restrictions have no effect if you are on a network using Network
Information Services (NIS). See "Network Information
Service (NIS) Overview for System Management" in AIX 5L Version
5.1 System Management Guide: Communications and Networks
for a description of NIS.
The usw stanza defines
the configuration of miscellaneous facilities. The following attributes
can be included:
| logintimeout
| Defines the time (in seconds) the user is given to type the
password. The value is a decimal integer string. The default is
a value of 60.
|
| maxlogins
| Defines the maximum number of simultaneous logins to the system.
The format is a decimal integer string. The default value varies
depending on the specific machine license. A value of 0 indicates no
limit on simultaneous login attempts.
Note: Login sessions include rlogins and telnets; these
are counted against the maximum allowable number of simultaneous logins by the
maxlogins attribute.
|
| shells
| Defines the valid shells on the system. This attribute is used by
the chsh command to determine which shells a user can
select. The value is a list of comma-separated full path names.
The default is /usr/bin/sh, /usr/bin/bsh,
/usr/bin/csh, /usr/bin/ksh, or
/usr/bin/tsh.
|
Access Control: This
command should grant read (r) and write (w) access to the root user and
members of the security group.
Auditing Events:
| Event
| Information
|
| S_LOGIN_WRITE
| File name
|
- A typical
authentication_method stanza looks like the following:
meth1:
program = /bin/auth_meth1
- A typical
port stanza looks like the following:
/dev/tty0:
sak_enabled = true
herald = "login to tty0:"
This command is part of Base
Operating System (BOS) Runtime.
The chfn command, chsec command, chsh command, login command, passwd command, pwdadm command, su command.
The newpass subroutine.
Security
Administration in AIX 5L Version 5.1 System Management
Concepts: Operating System and Devices.
[ Previous | Next | Table of Contents | Index |
Library Home |
Legal |
Search ]