About Restricting Access to Your System

The first security barrier an intruder must cross is the login program. To cross this barrier, a user must supply a user name and a corresponding password known by the local machine or by the name service (NIS or NIS+).

A second line of defense makes sure the system files and program can be changed or removed by root or superuser only. A would-be superuser must supply the root user name and its correct password.

Restricting Login Access

When a user logs in to a machine, the login program consults the appropriate database according to the information listed in the /etc/nsswitch.conf file. The entries in this file can include files (designating the /etc files), nis (designating the NIS database), and nisplus (designating the NIS+ database). See Name Services Administration Guide or the reference page, nsswitch.conf(4), for a description of this file.

The login program verifies the user name and password entered. If the user name is not in the password database or the password is not correct for the user name, the login program denies access to the machine. When the user supplies a name from the password database and the correct password for the name, the system grants the user access to the machine.

Passwords

When logging in to a machine, users must enter both a user name (or login) and a password. Although logins are publicly known, passwords must be kept secret, and known only to users. You should ask your users to choose their passwords carefully, and change them often.

Choosing a Password

Many breaches of computer security involve guessing a legitimate user's password. While the passwd command enforces some criteria for making sure the password is hard to obtain, a clever person can sometimes guess a password just by knowing something about the user.

Bad Choices for Passwords Bad choices for passwords include:

• Your name, forwards, backwards or jumbled
• Names of family members or pets
• Car license numbers
• Telephone numbers
• Social Security numbers
• Employee numbers
• Names related to a hobby or interest
• Seasonal themes, such as Santa in December
• Any word in the dictionary

Good Choices for Passwords Good choices for passwords include:

• Phrase (beammeup)
• Nonsense words made up of the first letters of every word in a phrase (swotrb for SomeWhere Over The RainBow)
• Words with numbers, or symbols substituted for letters (sn00py for snoopy)

Password Databases

The password databases include the databases maintained by the network information services (NIS and NIS+) and the /etc files.

NIS Password Database

If your network uses the NIS name service, you can edit your machine's /etc/passwd file so that it additionally uses the NIS password facilities. If you add a special entry to this file (an line containing a plus sign (+)), the login program will also search for user name in the NIS maps.

When a user runs the passwd command to change his or her password, the program first checks to see if the user has an entry in the local /etc/passwd file. If there is no such entry, the program looks for the + escape line in the passwd file. If the escape line is there, and NIS is running, the program

changes the user's password on the NIS master server for the passwd map. The command, yppasswd, accesses NIS directly. For information about the NIS name service, see NFS Administration Guide.

NIS+ Password Database

If your network uses NIS+, the password information is kept in the NIS+ databases. Information in these databases can be protected by restricting access to authorized users. You can use Administration Tool to access or change information in the NIS+ files. For information about the NIS+ databases and NIS+ security, see Name Services Administration Guide.

/etc Files

The /etc files include /etc/passwd and /etc/shadow. The user name and other information is kept in the password file /etc/passwd, while the encrypted password itself is kept in a separate shadow file /etc/shadow. This is a security measure that prevents a user from gaining access to the encrypted passwords. While the /etc/passwd file is available to anyone who can log in to a machine, only root can read the /etc/shadow file. The passwd commands described in this chapter affect the /etc files on the local machine.

Password Aging

To make your computer systems more secure, ask users to change their passwords periodically. For a high level of security, you should require users to change their passwords every six weeks. Once every three months is adequate for lower levels of security. System administration logins (such as root and sys) should be changed monthly, or whenever a person who knows the root password leaves the company or is reassigned.

The password-aging mechanism forces users to change their passwords periodically. It also prevents a user from changing a password before a specified interval. You can apply password aging to a login account by using the passwd(1) command. If you require more access control than that provided by password aging, you can also create a dial-up password that requires a second access code as part of the login process. See "Password Protection Using Dial-Up Passwords" on page 11.

Password Protection Using Dial-Up Passwords

You can add a layer of security to your password mechanism by requiring a dial-up password for users who access the computer through a modem or dial-up port. A dial-up password is an additional password that a user must enter before being granted access to the machine.

Only superuser can create or change a dial-up password. To ensure the integrity of the system, the password should be changed about once a month. The most effective use of this mechanism is to require a dial-up password to gain access to a gateway machine.

Two files are involved in creating a dial-up password, /etc/dialups and /etc/d_passwd. The first contains a list of ports that require a dial-up password, and the second contains a list of shell programs that require an encrypted password as the additional dialup password.

The /etc/dialups file is a list of terminal devices, for example:

/dev/term/a /dev/term/b

The /etc/d_passwd file has two fields. The first is the login shell that will require a password, and the second is the encrypted password, for example:

/usr/lib/uucp/uucico:encrypted_password: /usr/bin/csh:encrypted_password: /usr/bin/ksh:encrypted_password: /usr/bin/sh:encrypted_password:

When a user attempts to log in on any of the ports listed in /etc/dialups, the login program looks at the user's login entry stored in /etc/passwd, and compares the login shell to the entries in /etc/d_passwd. These entries determine whether the user will be required to supply the dial-up password.

The basic sequence is illustrated by the following figure:

.

Figure 2-1 Basic Dial-up Password Sequence

The /etc/d_passwd File

Because most users will be running a shell when they log in, all shell programs should have entries in /etc/d_passwd. Such programs include uucico, sh, ksh, and csh. If some users run something else as their login shell, include that login shell in the file, too.

If the user's login program (as specified in /etc/passwd) is not found in /etc/d_passwd, or if the login shell field in /etc/passwd is null, the password entry for /usr/bin/sh is used.

• If the user's login shell in /etc/passwd matches an entry in /etc/d_passwd, the user must supply a dial-up password.
• If the user's login shell in /etc/passwd is not found in /etc/d_passwd, the user must supply the default password. The default password is the entry for /usr/bin/sh.
• If the login shell field in /etc/passwd is empty, the user must supply the default password (the entry for /usr/bin/sh).
• If /etc/d_passwd has no entry for /usr/bin/sh, then those users whose login shell field in /etc/passwd is empty or does not match any entry in /etc/d_passwd will not be prompted for a dial-up password.
• Dial-up logins are disabled if /etc/d_passwd has only the following entry: /usr/bin/sh:*:

Restricted Shell

The standard shell allows a user to open files, execute commands, and so on. The restricted shell can be used to limit the ability of a user to change directories, and execute commands. The restricted shell (rsh) is located in the directory /usr/lib. (Note that this is not the remote shell, which is /usr/sbin/rsh.) The restricted shell differs from the normal shell in these ways:

• The user is limited to the home directory (can't use cd to change directories).
• The user can use only commands in the PATH set up by the system administrator (can't change the PATH variable).
• The user can access only files in the home directory and its subdirectories (can't name commands or files using a complete path name).
• The user cannot redirect output with > or >>.

The restricted shell allows the system administrator to limit a user's ability to stray into the system files, and is intended mainly to set up a user who needs to perform specific tasks. The rsh is not completely secure, however, and is only intended to keep unskilled users from getting into (or causing) trouble.

See the reference page for sh(1) for information about the restricted shell.

Restricting Root Access

The root (or superuser) account is used by the operating system to accomplish basic functions, and has wide-ranging control over the entire operating system. It has access to and can execute essential system programs. For this reason, there are almost no security restraints for any program that is run by root.

The system administrator can protect the root account by restricting root access to a specific device. For example, if root access is restricted to the console, a user can log in to a machine as root only from the console. A user who remotely logs in from another machine to perform an administrative function must first log in as himself and then use the su command to become superuser.

The /etc/default Directory

The /etc/default directory contains ASCII files that are used to control and monitor root access.

• An entry in the file /etc/default/login determines the root access restrictions.
• Entries in the file /etc/default/su determine the default conditions of the su command.

  · One entry enables or disables a log of each time the su command is used to change to another user.

  A record of every time the su command is used, who uses it, and when is made in the log file, /var/adm/sulog, enabling you to track who is using the superuser account.

  · Another entry enables or disables a display on the console each time an attempt is made to use the su command to gain root access from a remote system.

For instructions on how to control root access and monitor the superuser log, turn to "How to Monitor and Control su Use" on page 23.

Maintaining a Log of Unsuccessful Login Attempts

You can create a log to keep track of unsuccessful attempts to log in to the computer. After a person makes five consecutive unsuccessful attempts to log in, all these attempts are recorded in the file /var/adm/loginlog (as long as it exists).

If a person makes fewer than five unsuccessful attempts, none of them is logged. If /var/adm/loginlog does not exist, nothing is logged.

Special Logins

There are two common ways to access a machine--by using a conventional user login or by using the root login. In addition, a number of special system logins allow a user to perform administrative commands without using the root account. The administrator assigns password to these login accounts.

Table 2-1 lists the system login accounts and their uses. The system logins perform special functions, and each has its own group identifier number (GID). Each of these logins should have its own password, and these passwords should be distributed on a need-to-know basis.

Table 2-1

Login Account	GID	Use
root	0	Has almost no restrictions and overrides all other logins, protections, and permissions. The root account has access to the entire system. The password for the root login should be very carefully protected.
daemon	1	Controls background processing.
bin	2	Owns most of the commands.
sys	3	Owns many system files.
adm	4	Owns certain administrative files.
lp	71	Owns the object and spooled data files for the printer.
uucp	5	Owns the object and spooled data files for UUCP, the UNIX- to-UNIX copy program.
nuucp	9	Is used by remote machines to log in to the system and start file transfers.

You should also set the security of the eeprom to require a password. See the reference page for eeprom(1M) for more information.

Instructions for Securing and Controlling System Access

This section gives instructions on how to use the passwd and login commands to control and track access to accounts on the system. The instructions in this section describe the commands that act upon a local machine. To add and manage user accounts using admintool, see User Accounts, Printers, and Mail Administration. For information about managing and controlling access to the network databases, see NFS Administration Guide and Name Services Administration Guide.

· How to Change, Lock, or Show Status of Passwords

The passwd command enables you to change, delete, or lock a password, as well as enable and disable password aging. You must be superuser to use most of these commands.

To change your own password: * Type passwd and press Return. You are prompted for your old password. Then you are prompted for your new password. The password is not displayed as it is typed, and you must enter the new password again for confirmation.

Code Example 2-1

example% passwd Changing password for charlie Old password: New password: Retype new password: Password changed for charlie example%

To change a user's password: * As root, type passwd username and press Return. You are not prompted for the old password. But you are prompted to enter the new password. The password must be entered again for confirmation.

To prevent a user from changing a password: * As root, type passwd -n 10 -x 7 username and press Return. Because min (-n 10) is greater than max (-x 7), the password is locked and cannot be changed. The user can still log in to the machine, but only root can change this password.

To display information about passwords: * As root, type passwd -s username and press Return. The following example displays information about user charlie, if password aging is enabled.

# passwd -s charlie charlie PS 6/23/94 1 90 7

(If password aging is not turned on, only the first two fields appear.) The six fields contain the following information:

• Login name (charlie)
• Password status (PS) as follows: NP--No password for this login LK--Login is locked

  PS--Anything else

• Date the password was last changed (6/23/94)
• Minimum number of days after the last password change before the user can change the password (1)
• Maximum number of days between password changes (90)
• Number of warning days before the password must be changed (7)

Thus, the information obtained for this example shows that there is a password for user charlie that cannot be changed before June 24, 1994 and that must be changed by September 21, 1994. On September 14, 1994, this user will begin seeing a warning message that the password will expire and should be changed.

To display password status for all users: * As root, type passwd -s -a and press Return. Only a privileged user can use the -a option for the passwd command.

· How to Enable and Disable Password Aging

To enable password aging: * As root, type the following command:

passwd -n min -x max -w warn username

This command sets the minimum number of days between password changes (-n min), the number of days the password is valid (-x max), and the number of days before the password expires that the user is warned (-w warn).

Example of Enabling Password Aging

This example sets up password aging for user charlie. User charlie must change his password every 90 days, and must wait a day before he can change it again. Starting seven days before the password expires, passwd prints a warning whenever charlie logs in to his machine.

# passwd -n 1 -x 90 -w 7 charlie

To disable password aging: * As root, type passwd -x -1 username and press Return. Setting max to -1 turns off aging.

· How to Force a User to Enter a New Password

* As root, type passwd -f username and press Return. The -f option forces a password change. At next login, the user is prompted for a new password.

· How to Display Login Information

The login commands operate on the local /etc/passwd files and also on the NIS and NIS+ password databases.

To display login status for a user: * Type logins -x -l username and press Return. The information includes the login, UID, GID, user name, home directory, login shell, and password aging information--the date the password was last changed, the number of days required between changes, the number of days allowed before a change is required, and the warning period.

Example of Displaying Login Information

This example displays information about login charlie.

# logins -x -l charlie charlie 200 200 charlie /home/charlie /bin/sh PS 062392 1 90 7

To show logins that have no passwords: * Type logins -p and press Return. Use the output of this command to make sure that all users on the system have a valid password.

· How to Enable Login Logging

To enable login logging, create the log file loginlog, with read and write permission for root only, as follows:

1. As root, type touch /var/adm/loginlog and press Return. This creates the log file loginlog.

2. Type chmod 600 /var/adm/loginlog and press Return. This sets read and write permissions for root on the file.

3. Type chgrp sys /var/adm/loginlog and press Return. This sets the group to sys.

The loginlog file may grow quickly. To use the information in this file and to prevent the file from getting too large, you must check and clear its contents occasionally. If this file shows a lot of activity, it may suggest an attempt to break into the computer system. For more information about this file, see loginlog(4).

· How to Set Up Automatic Account Expiration

The usermod and useradd commands work only on the local machine. Use admintool to add a user to the network. See User Accounts, Printers, and Mail Administration.

To set up account expiration for a new account: * As root, type useradd -e mm/dd/yy username and press Return. mm/dd/yy is the date the account will expire.

Example of Setting Up Automatic Account Expiration

The following example sets up a new login, shortterm, which expires on July 31, 1993.

# useradd -e 07/31/94 shortterm

To extend a login's expiration date: * As root, type usermod -e newdate username and press Return. newdate is a new expiration date.

# usermod -e 09/10/94 shortterm

· How to Disable and Re-Enable Inactive Accounts

To disable an inactive account: * As root, type usermod -f n username and press Return. The -f n option to usermod sets the "inactive" field. A login is considered inactive if a user has not logged in for n number of days. Once the account has been disabled, the user cannot log in until the administrator resets the login account.

Example of Disabling a User Account

This example disables the user account for charlie if it is inactive for 30 days.

# usermod -f 30 charlie

To re-enable a disabled account: 1. As root, type usermod -f 0 username and press Return.

2. Have the affected user log in again so that the lastlogin date will be updated.

3. Type usermod -f n username and press Return. This resets the time the account can be inactive.

· How to Create a Dial-Up Password

---

Caution - When you first establish a dial-up password, be sure to remain logged in on at least one terminal while testing the password on a different terminal. If you make a mistake while installing the extra password and log off to test the new password, you might not be able to log back on. If you are still logged in on another terminal, you can go back and fix your mistake.

---

You must be root to perform these tasks.

1. Create an /etc/dialups file.

   This file should contain a list of terminal devices. List all the ports that will require dial-up password protection. The /etc/dialups file should look like this:

/dev/term/a /dev/term/b /dev/term/c

2. Create an /etc/d_passwd file.

   This file should contain the login programs that will require a dial-up password, and the encrypted dial-up password. List all shell programs that a user could be running when he logs in, for example, uucico, sh, ksh, and csh. The /etc/d_passwd file should look like this:

/usr/lib/uucp/uucico:encrypted_password: /usr/bin/csh:encrypted_password: /usr/bin/ksh:encrypted_password: /usr/bin/sh:encrypted_password

3. Type chown root /etc/dialups /etc/d_passwd and press Return. This command sets the owner and group to root.

4. Type chgrp root /etc/dialups /etc/d_passwd and press Return.

5. Type chmod 600 /etc/dialups /etc/d_passwd and press Return. This sets the modes of these files to read and write for the owner, root.

6. Create the encrypted passwords.

a. Type useradd dummy and press Return. This creates a dummy user.

b. Type passwd dummy and press Return.

This creates a password for the dummy user.

c. Type grep dummy /etc/shadow > dummy.temp and press Return. This captures the encrypted password.

d. Edit the file dummy.temp.

Open dummy.temp for editing, and delete all fields except the encrypted password (the second field).

For example, in the following line, the encrypted password is U9gp9SyA/JlSk.

dummy:U9gp9SyA/JlSk:7967:::::7988:

e. Type userdel dummy and press Return. This deletes the dummy user.

7. Edit the file /etc/d_passwd.

   Open d_passwd and copy the encrypted password from your dummy.temp file into the password file. You can create a different password for each login shell, or use the same one for each.

   * To temporarily disable dial-up logins, put the following entry by itself into the /etc/d_passwd file:

/usr/bin/sh:*:

· How to Monitor and Control su Use

To monitor su use: 1. Open the file /etc/default/su for editing.

2. Uncomment the line: SULOG=/var/adm/sulog Whenever the su command is run from a remote system, a message is logged to the file /var/adm/sulog.

To check the superuser log: * Type more /var/adm/sulog and press Return. The log file lists each root access.

Example of /var/adm/sulog File

The /var/adm/sulog file lists all uses of the su command, not only those used to switch user to root. The entries show the date and time the command was entered, whether or not it was successful (+ or -), the port from which the command was issued, and finally, the name of the user and the switched identity.

Note that user rar first switched user to charlie and then from charlie to root.

# more /var/adm/sulog SU 10/23 16:41 - pts/3 rar-root SU 10/23 16:41 + pts/3 jjones-root SU 10/23 19:07 + pts/0 rar-charlie SU 10/23 19:08 + pts/0 charlie-root SU 10/23 19:16 + console root-root

To display each instance of su root to the console: 1. Open the file /etc/default/su for editing.

2. Uncomment the line: CONSOLE=/dev/console Whenever the su root command is run from a remote system, a message is printed on the system console.

· How To Restrict Root Login to the Console:

1. Open the file /etc/default/login for editing.

2. Uncomment the line: CONSOLE=/dev/console This restricts root access to the console. Any user who tries to remotely log in to a system must first log in as himself, and then use the su command to become root.