Managing Login and Access Control
All accounts on the system must have a password. Any account without a password allows unauthorized access to the local host and to the entire network.
The pwconvCommand :The pwconv command creates and updates the /etc/shadow file with information from the /etc/passwd file.
It is the pwconv command that relies on the special value of ’x’ in the password field of /etc/passwd. The ’x’ indicates that the password
for the user already exists in the /etc/shadow file.
If the /etc/shadow file does not exist, pwconv creates it with the information from /etc/passwd.
If the /etc/shadow file does exist, the following tasks are performed:
Entries that are in the /etc/passwd file and not in the /etc/shadow file are added to the shadow file.
Entries that are in the /etc/shadow file and not in the /etc/passwd file are removed from the shadow file.
Recording Failed Login Attempts
When a user logs in to a system, locally or remotely, from the command line only, the login program consults the /etc/passwd and /etc/shadow file to authenticate the user by verifying the user name and password entered.
If the user provides a login ID name from the /etc/passwd file and the correct password for that login name, the login program grants access to the system. If the user name is not in the /etc/passwd file or the password is not correct for the user name, the login program denies access to the system.
You can save failed login attempts to a file, which is a useful tool for determining if attempts are being made to break into a system.
You can record failed login attempts can be recorded in the file /var/adm/loginlog. By default, the loginlog file does not exist. To enable logging, you must create this file with read and write permissions for root only.
# touch /var/adm/loginlog
All failed login activity is written to this file automatically after five failed attempts.
The loginlog contains one entry for each of the failed attempts. Each entry contains the user’s login name, TTY device, and time of the
failed attempt.If there are fewer than five failed attempts, no activity is logged to this file.
**************************************************************************************
Monitoring System Access
All systems should be monitored routinely for unauthorized user access. Use the who command to see who is on the system. It looks in
the /var/adm/utmpx file to obtain this information.
The who command displays a list of users currently logged on to the local system, with their login name, login device (TTY port), login date
and time, and the elapsed time since last activity. If a user is logged on remotely, the remote hostname for that user is displayed.
Displaying Users on the System
To display the users who are currently on the system, execute the who command:
# who
user2 console May 24 10:17 (:0)
user5 pts/3 May 24 17:36 (:0.0)
user9 pts/7 May 24 08:21 (:0.0)
#
Login Device Types
The second field displayed by the who command defines the user’s login device, which can be one of the following:
console – The device used to display system boot and error messages.
pts – The pseudo device that represents a login or window session without a physical device. Remote logins are represented by this
type of device.
term –A device physically connected to a serial port, such as a terminal or a modem.
Displaying User Information
To display detailed information about users either locally or remotely,use the finger command. Command Format
finger -m username
finger -m username@remotehostname
-m – Match arguments only on username (not first or last name).
The finger command displays the user’s login name, home directory path, login time, login device name, data contained in the comment field of the /etc/passwd file (usually the user’s full name), login shell, and the name of the host if logged in remotely.Displaying User Information
To display user information, execute the following:
# finger user9
Login name: user9 In real life: user9’s Account
Directory: /home/user9 Shell: /bin/ksh
On since Apr 14 08:57:37 on console from :0
No unread mail
No Plan.
If a user creates the standard ASCII files .plan or .projects in their home directories, the content of those files is shown as part of the
output of the finger command.
These files are traditionally used to outline a user’s current plans or projects, and must be created with file access permissions set to 644 (rw-r--r--).
**************************************************************************************
Displaying a Record of Login Activity
Use the last command to display a record of all logins and logouts with the most recent activity at the top of the output. It looks in the /var/adm/wtmpx file, which records all logins and logouts.
Each entry includes user name, the login device, host logged in from, date and time logged in, time of log out, and total login time in hours and minutes, including entries for system reboot times.
The following is an example of the last command:
# last
user1 pts/4 host1 Fri Dec 18 10:24 - 11:00 (00:36)
user9 pts/7 host1 Tue Dec 8 09:39 - 09:49 (00:10)
user5 pts/12 host1 Thu Dec 3 15:16 - 15:18 (00:02)
reboot system boot Wed Dec 2 08:44
root console :0 Tue Dec 1 15:12 - 15:12 (00:00)
user8 pts/3 host1 Tue Dec 1 16:13 - 16:39 (00:26)
The last command can also display information about an individual user, for example:
# last user9
user9 pts/7 host1 Tue Dec 8 09:39 - 09:49 (00:10)
To view system reboot times only, execute the following command:
# last reboot
reboot system boot Fri Feb 11 10:15
reboot system boot Wed Jan 26 14:58
reboot system boot Mon Jan 3 16:30
Displaying Users on Remote Systems
The rusers command produces output similar to the who command,but displays users logged in on remote hosts. The list is displayed in the order the responses are received from the hosts — displaying the user’s name and the host’s name.
A remote host responds only to the rusers command, if its rpc.rusersd daemon is enabled. It is the network server daemon that returns the list of users on the remote hosts.
Command Format :
rusers [ -l ]
The rusers -l command displays a list of login names of users who are logged in on remote systems, along with the name of the system a user is logged into, the TTY port (login device), the month, date, login time, and idle time. If the user is not idle, no time is displayed in the
last field.
For example: # rusers -l
user8 remotehost1:pts/4 Feb 22 11:48 27 (:0)
root remotehost1:console Feb 22 09:31 28:10 (:0)
user4 remotehost5:pts/12 Feb 22 8:00 1:43 (:0)
user6 remotehost2:console Feb 22 13:41 9 (:0)
**************************************************************************************
All accounts on the system must have a password. Any account without a password allows unauthorized access to the local host and to the entire network.
The pwconvCommand :The pwconv command creates and updates the /etc/shadow file with information from the /etc/passwd file.
It is the pwconv command that relies on the special value of ’x’ in the password field of /etc/passwd. The ’x’ indicates that the password
for the user already exists in the /etc/shadow file.
If the /etc/shadow file does not exist, pwconv creates it with the information from /etc/passwd.
If the /etc/shadow file does exist, the following tasks are performed:
Entries that are in the /etc/passwd file and not in the /etc/shadow file are added to the shadow file.
Entries that are in the /etc/shadow file and not in the /etc/passwd file are removed from the shadow file.
Recording Failed Login Attempts
When a user logs in to a system, locally or remotely, from the command line only, the login program consults the /etc/passwd and /etc/shadow file to authenticate the user by verifying the user name and password entered.
If the user provides a login ID name from the /etc/passwd file and the correct password for that login name, the login program grants access to the system. If the user name is not in the /etc/passwd file or the password is not correct for the user name, the login program denies access to the system.
You can save failed login attempts to a file, which is a useful tool for determining if attempts are being made to break into a system.
You can record failed login attempts can be recorded in the file /var/adm/loginlog. By default, the loginlog file does not exist. To enable logging, you must create this file with read and write permissions for root only.
# touch /var/adm/loginlog
All failed login activity is written to this file automatically after five failed attempts.
The loginlog contains one entry for each of the failed attempts. Each entry contains the user’s login name, TTY device, and time of the
failed attempt.If there are fewer than five failed attempts, no activity is logged to this file.
**************************************************************************************
Monitoring System Access
All systems should be monitored routinely for unauthorized user access. Use the who command to see who is on the system. It looks in
the /var/adm/utmpx file to obtain this information.
The who command displays a list of users currently logged on to the local system, with their login name, login device (TTY port), login date
and time, and the elapsed time since last activity. If a user is logged on remotely, the remote hostname for that user is displayed.
Displaying Users on the System
To display the users who are currently on the system, execute the who command:
# who
user2 console May 24 10:17 (:0)
user5 pts/3 May 24 17:36 (:0.0)
user9 pts/7 May 24 08:21 (:0.0)
#
Login Device Types
The second field displayed by the who command defines the user’s login device, which can be one of the following:
console – The device used to display system boot and error messages.
pts – The pseudo device that represents a login or window session without a physical device. Remote logins are represented by this
type of device.
term –A device physically connected to a serial port, such as a terminal or a modem.
Displaying User Information
To display detailed information about users either locally or remotely,use the finger command. Command Format
finger -m username
finger -m username@remotehostname
-m – Match arguments only on username (not first or last name).
The finger command displays the user’s login name, home directory path, login time, login device name, data contained in the comment field of the /etc/passwd file (usually the user’s full name), login shell, and the name of the host if logged in remotely.Displaying User Information
To display user information, execute the following:
# finger user9
Login name: user9 In real life: user9’s Account
Directory: /home/user9 Shell: /bin/ksh
On since Apr 14 08:57:37 on console from :0
No unread mail
No Plan.
If a user creates the standard ASCII files .plan or .projects in their home directories, the content of those files is shown as part of the
output of the finger command.
These files are traditionally used to outline a user’s current plans or projects, and must be created with file access permissions set to 644 (rw-r--r--).
**************************************************************************************
Displaying a Record of Login Activity
Use the last command to display a record of all logins and logouts with the most recent activity at the top of the output. It looks in the /var/adm/wtmpx file, which records all logins and logouts.
Each entry includes user name, the login device, host logged in from, date and time logged in, time of log out, and total login time in hours and minutes, including entries for system reboot times.
The following is an example of the last command:
# last
user1 pts/4 host1 Fri Dec 18 10:24 - 11:00 (00:36)
user9 pts/7 host1 Tue Dec 8 09:39 - 09:49 (00:10)
user5 pts/12 host1 Thu Dec 3 15:16 - 15:18 (00:02)
reboot system boot Wed Dec 2 08:44
root console :0 Tue Dec 1 15:12 - 15:12 (00:00)
user8 pts/3 host1 Tue Dec 1 16:13 - 16:39 (00:26)
The last command can also display information about an individual user, for example:
# last user9
user9 pts/7 host1 Tue Dec 8 09:39 - 09:49 (00:10)
To view system reboot times only, execute the following command:
# last reboot
reboot system boot Fri Feb 11 10:15
reboot system boot Wed Jan 26 14:58
reboot system boot Mon Jan 3 16:30
Displaying Users on Remote Systems
The rusers command produces output similar to the who command,but displays users logged in on remote hosts. The list is displayed in the order the responses are received from the hosts — displaying the user’s name and the host’s name.
A remote host responds only to the rusers command, if its rpc.rusersd daemon is enabled. It is the network server daemon that returns the list of users on the remote hosts.
Command Format :
rusers [ -l ]
The rusers -l command displays a list of login names of users who are logged in on remote systems, along with the name of the system a user is logged into, the TTY port (login device), the month, date, login time, and idle time. If the user is not idle, no time is displayed in the
last field.
For example: # rusers -l
user8 remotehost1:pts/4 Feb 22 11:48 27 (:0)
root remotehost1:console Feb 22 09:31 28:10 (:0)
user4 remotehost5:pts/12 Feb 22 8:00 1:43 (:0)
user6 remotehost2:console Feb 22 13:41 9 (:0)
**************************************************************************************
No comments:
Post a Comment