[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Files Reference
login.cfg File
Purpose
Contains configuration information for login and user authentication.
Description
The /etc/security/login.cfg file is an ASCII file
that contains stanzas of configuration information for login and user authentication.
Each stanza has a name, followed by a colon (:), that
defines its purpose. Attributes are in the form Attribute=Value. Each attribute
ends with a new-line character, and each stanza ends with an additional new-line
character. For an example of a stanza, see the "Examples" section.
There are two types of stanzas:
Stanzas |
Definition |
port |
Defines the login characteristics of ports. |
user configuration |
Defines programs that change user attributes. |
Port Stanzas
Port stanzas define the login characteristics of ports and are named with
the full path name of the port. Each port should have its own separate stanza.
Each stanza has the following attributes:
Attribute |
Definition |
herald |
Defines the login message printed when the getty process opens the port. The default herald is the login prompt. The value is a character string. |
herald2 |
Defines the login message printed after a failed login attempt. The
default herald is the login prompt. The value
is a character string. |
logindelay |
Defines the delay factor (in seconds) between unsuccessful login
attempts. The value is a decimal integer string. The default value is 0,
indicating no delay between unsuccessful login attempts. |
logindisable |
Defines the number of unsuccessful login attempts allowed before
the port is locked. The value is a decimal integer string. The default value
is 0, indicating that the port cannot lock as a result of unsuccessful login
attempts. |
logininterval |
Defines the time interval (in seconds) in which the specified unsuccessful
login attempts must occur before the port is locked. The value is a decimal
integer string. The default value is 0. |
loginreenable |
Defines the time interval (in minutes) a port is unlocked after a
system lock. The value is a decimal integer string. The default value is
0, indicating that the port is not automatically unlocked. |
logintimes |
Specifies the times, days, or both, the user is allowed to access
the system. The value is a comma-separated list of entries of the following
form:
[!]:time-time
-or-
[!]day[-day][:time-time]
-or-
[!]date[-date][:time-time]
The day variable must be one digit between 0 and 6 that represents one of
the days of the week. A 0 (zero) indicates Sunday and a 6 indicates Saturday.
The time variable is 24-hour military time
(1700 is 5:00 p.m.). Leading zeroes are required. For example, you must enter 0800, not 800. The time variable must be four characters in length, and
there must be a leading colon (:). An entry consisting of only a time specification
applies to every day. The start hour of a time value must be less than the
end hour.
The date variable is a four digit
string in the form mmdd. mm represents
the calendar month and dd represents the day number.
For example 0001 represents January 1. dd may be 00 to indicate the entire month,
if the entry is not a range, or indicating the first or last day of the month
depending on whether it appears as part of the start or end of a range. For
example, 0000 indicates the entire month of January.
0600 indicates the entire month of June. 0311-0500 indicates April 11 through the last day
of June.
Entries in this list specify times
that a user is allowed or denied access to the system. Entries not preceded
by an exclamation point (!) allow access and
are called ALLOW entries. Entries prefixed with an exclamation point (!) deny access to the system and are called DENY
entries. The ! operator applies to only one entry,
not the whole restriction list. It must appear at the beginning of an entry. |
pwdprompt |
Defines the message that is displayed at a password
prompt. The message value is a character string. Format specifiers will
not be interpreted. If the attribute is undefined, a default prompt from
the message catalog will be used . |
sak_enabled |
Defines whether the secure attention key (SAK) is enabled for the
port. The SAK key is the Ctrl-X, Ctrl-R key sequence. Possible values for
the sak_enabled attribute are:
- true
- SAK processing is enabled, so the key sequence establishes a trusted
path for the port.
- false
- SAK processing is not enabled, so a trusted path cannot be established.
This is the default value.
The sak_enabled stanza can also be modified to close a potential
security exposure that exists when tty login devices are writable by others;
for example, when the tty mode is 0622. If the sak_enabled stanza is set to True, the tty mode is set to a more restrictive 0600
at login. If the sak_enabled stanza is set to False
(or absent), the tty mode is set to 0622. |
synonym |
Defines other path names for the terminal. This attribute revokes
access to the port and is used only for trusted path processing. The path
names should be device special files with the same major and minor number
and should not include hard or symbolic links. The value is a list of comma-separated
path names.
Synonyms are not associative. For example, if you specify
synonym=/dev/tty0 in the stanza for the /dev/console path name, then the /dev/tty0 path
name is a synonym for the /dev/console path name. However,
the /dev/console path name is not a synonym for the /dev/tty0 path name unless you specify synonym=/dev/console in the stanza for the /dev/tty0 path name. |
usernameecho |
Defines whether the user name is echoed on a port.
Possible values for the usernameecho attribute are:
- true
- User name echo is enabled. The user name will be displayed. This is
the default value.
- false
- User name echo is disabled. The user name will not be echoed at the
login prompt and will be masked out of security related messages that contain
the user name.
|
User-Configuration Stanzas
User-configuration stanzas provide configuration information for programs
that change user attributes. There is one user-configuration stanza: usw.
Note
Password restrictions have no effect if you are
on a network using Network Information Services (NIS). See
"Network Information Service (NIS) Overview for System Management" in
AIX 5L Version 5.2 System Management Guide: Communications and Networks for a description of NIS.
The usw stanza defines the configuration of miscellaneous
facilities. The following attributes can be included:
Attribute |
Definition |
logintimeout |
Defines the time (in seconds) the user is given to type the password.
The value is a decimal integer string. The default is a value of 60. |
maxlogins |
Defines the maximum number of simultaneous logins to the system. The
format is a decimal integer string. The default value varies depending on
the specific machine license. A value of 0 indicates no limit on simultaneous
login attempts.
Note
Login sessions include rlogins and telnets. These are counted against
the maximum allowable number of simultaneous logins by the maxlogins attribute. |
shells |
Defines the valid shells on the system. This attribute is used by
the chsh command to determine which shells a user can
select. The value is a list of comma-separated full path names. The default
is /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, or /usr/bin/tsh. |
Security
Access Control
This command should grant read (r) and write (w) access to the root user
and members of the security group.
Auditing Events
Event |
Information |
S_LOGIN_WRITE |
File name |
Examples
A typical port stanza looks like the following:
/dev/tty0:
sak_enabled = true
herald = "login to tty0:"
Files
Related Information
The chfn command, chsec command, chsh command, login command, passwd command, pwdadm command,
and su command.
The newpass subroutine.
Security Administration in AIX 5L Version 5.2 System Management Concepts: Operating System and Devices.
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]