· How to Display a User's Login Status

1. Become root.

2. Display a user's login status by using the logins command.

# logins -x -l username

In this command,

-x.....Displays an extended set of login status information.

-l username Displays login status for the specified user. username is a user's login name. Multiple login names must be specified as a comma-separated list.

The logins command uses the local /etc/passwd file and the NIS or NIS+ password databases to obtain a user's login status.

Example--Displaying a User's Login Status

The following example displays login status for the user rimmer.

# logins -x -l rimmer rimmer 500 staff 10 Arnold J. Rimmer /export/home/rimmer /bin/sh PS 010170 10 7 -1

In this example,

rimmer	Identifies the user's login name.
500	Identifies the UID (user ID).
staff	Identifies the user's primary group.
10	Identifies the GID (group ID).

Arnold J. Rimmer            Identifies the comment.

/export/home/rimmer         Identifies the user's home directory.

/bin/sh                     Identifies the login shell.

PS 010170 10 7 -1           Specifies the password aging information:

• · last date password was changed
• · the number of days required between changes
• · the number of days allowed before a change is required
• · the warning period

· How to Display Users With No Passwords

You should make sure that all users have a valid password.

1. Become root.

2. Display users that have no passwords by using the logins command.

# logins -p

In this command,

-p.....Displays a list of users with no passwords.

The logins command uses the local /etc/passwd file and the NIS or NIS+ password databases to obtain a user's login status.

Example--Displaying Users With No Passwords

The following example displays that the user pmorph does not have a password.

# logins -p pmorph 501 other 1 Polly Morph #

· How to Save Failed Login Attempts

1. Become root.

2. Create the loginlog file in the /var/adm directory.

# touch /var/adm/loginlog

3. Set read and write permissions for root on the loginlog file.

# chmod 600 /var/adm/loginlog

4. Change group membership to sys on the loginlog file.

# chgrp sys /var/adm/loginlog

Verification--Saving Failed Login Attempts

To make sure the log works, attempt to log in to the a system five times with the wrong password after the loginlog file is created. Then display the /var/adm/loginlog file.

# more /var/adm/loginlog pmorph:/dev/pts/0:Fri Jan 13 08:55:23 1995 pmorph:/dev/pts/0:Fri Jan 13 08:55:31 1995 pmorph:/dev/pts/0:Fri Jan 13 08:55:39 1995 pmorph:/dev/pts/0:Fri Jan 13 08:55:50 1995 pmorph:/dev/pts/0:Fri Jan 13 08:56:00 1995 #

· How to Create a Dial-up Password

1. Become root.

2. Create an /etc/dialups file containing a list of terminal devices, including all the ports that will require dial-up password protection. The /etc/dialups file should look like this:

  /dev/term/a
  /dev/term/b
  /dev/term/c

3. Create an /etc/d_passwd file containing the login programs that will require a dial-up password, and the encrypted dial-up password. Include shell programs that a user could be running at login, for example, uucico, sh, ksh, and csh. The /etc/d_passwd file should look like this:

/usr/lib/uucp/uucico:encrypted_password:
/usr/bin/csh:encrypted_password:
/usr/bin/ksh:encrypted_password:
/usr/bin/sh:encrypted_password

See steps 7 and 8 for information on how to obtain the encrypted passwords.

4. Set ownership to root on the two files.

# chown root /etc/dialups /etc/d_passwd

5. Set group ownership to root on the two files.

# chgrp root /etc/dialups /etc/d_passwd

6. Set read and write permissions for root on the two files.

# chmod 600 /etc/dialups /etc/d_passwd

7. Create the encrypted passwords.

   a. Create a temporary user.

# useradd user-name

b. Create a password for the temporary user.

# passwd user-name

c. Capture the encrypted password.

# grep user-name /etc/shadow > user-name.temp

d. Edit the user-name.temp file.

Delete all fields except the encrypted password (the second field).

For example, in the following line, the encrypted password is

      U9gp9SyA/JlSk.

temp:U9gp9SyA/JlSk:7967:::::7988:

e. Delete the temporary user.

# userdel user-name

8. Copy the encrypted password from user-name.temp file into the /etc/d_passwd file.

   You can create a different password for each login shell, or use the same one for each.

· How to Temporarily Disable Dial-up Logins

1. Become root.

2. Put the following entry by itself into the /etc/d_passwd file:

/usr/bin/sh:*:

· How to Restrict Root Login to the Console

1. Become root.

2. Edit the /etc/default/login file.

3. Uncomment the following line.

CONSOLE=/dev/console

Any users who try to remotely log in to this system must first log in with their user login, and then use the su command to become root.

Verification--Restricting Root Login to the Console

Attempt to log in remotely as root to this system, and verify that the operation fails.

· How to Monitor Who Is Using the su Command

1. Become root.

2. Edit the /etc/default/su file.

3. Uncomment the following line.

SULOG=/var/adm/sulog

Verification--Monitoring Who Is Using the su Command

After modifying the /etc/default/su file, use the su command several times and display the /var/adm/sulog file. You should see an entry for each time you used the su command.

# more /var/adm/sulog SU 12/20 16:26 + pts/0 nathan-root SU 12/21 10:59 + pts/0 nathan-root SU 01/12 11:11 + pts/0 root-joebob SU 01/12 14:56 + pts/0 pmorph-root SU 01/12 14:57 + pts/0 pmorph-root

· How to Display Root Access Attempts to the Console

1. Become root.

2. Edit the /etc/default/su file.

3. Uncomment the following line.

CONSOLE=/dev/console

Verification--Displaying Root Access Attempts to the Console

Use the su command to become root, and verify that a message is printed on the system console.