Next | Prev | Up | Top | Contents | Index
System Login Options
You can set the following login options to enhance security:
- Restrict root logins to a specific device, typically the system console.
- Specify the number of times an attempt to log in can fail before the login process is disabled.
- If the login process is disabled, specify how long before it can be resumed.
- Specify whether to maintain a log of logins and what information to store: all logins or only those that were unsuccessful.
- Specify whether to force a user who does not have a password to choose one immediately upon logging in.
- Specify whether or not to display to the user on login the date and time that user last logged in.
Login options are set in the file /etc/default/login, which is a normal text file. The file contains one option specification per line. The options are described in the rest of this section.
Because the login procedure is your system's main defense against unauthorized access, login options are important. For example, you can determine whether someone is trying to break into your system from a pattern of failed login attempts recorded in /var/adm/SYSLOG (when logging is enabled).
The best way to keep a system secure is to slow down attempts to guess passwords and account names. The login options described in this section add delays to unsuccessful login attempts, which drastically slows down the process of randomly guessing passwords.
See the login(1) reference page for further details.
Note that the visual login process clogin(1) does not provide these security options. To use the login security functions, you must turn off clogin and use the standard login processes, getty(1) and login(1). Use chkconfig to turn off the visuallogin and xdm configuration variables. See "IRIX Admin: System Configuration and Operation" and the visuallogin(4) reference page for information about turning the visual login process on and off. You may also use chkconfig to set the noiconlogin variable to disallow logging in using the user icons in clogin.
Restricting root Logins
You can restrict root logins to a single device, forcing root users to either use that device or use the su command (thereby leaving a trail in /var/adm/sulog). For example, edit /etc/default/login to include the following line to restrict root logins to the system console:
CONSOLE=/dev/console
Note: Do not name /dev/syscon or /dev/systty as the device!
Maximum Login Attempts (MAXTRYS)
MAXTRYS is the number of times you let a login attempt fail before suspending the login. Setting this parameter slows attempts by unauthorized persons to break into a system. A common method of breaking into a system is to try to guess the password of a known account. This method is most successful if the person trying to break in knows the names of as many accounts as possible, and can make guesses very quickly. If you introduce a delay in the login process after a certain number of failed login attempts on the same tty line, you can make it much more time-consuming to guess a correct password.
To set the maximum number of login attempts, edit the file /etc/default/login. Place a line similar to this in the file:
MAXTRYS=3
This sets the maximum number of login attempts to three. The system default, without this option set, is five.
When the maximum number of login attempts is exceeded, the login program sleeps for a certain number of seconds (the DISABLETIME variable described in the next section), thus preventing further login attempts on that line for a while. The system default delay (DISABLETIME) is 20 seconds.
Following is an example login attempt that is disabled after three retries:
login: guest
password:
Login incorrect
login: guest
password:
Login incorrect
login: guest
password:
Login incorrect
At this point, no further login prompts are displayed until the period of time specified by DISABLETIME has passed.
Length of Time to Disable a Line (DISABLETIME)
Use this option along with the MAXTRYS option. To set the number of seconds after a certain number of unsuccessful login attempts that a line is disabled, edit the file /etc/default/login and add a line similar to this:
DISABLETIME=30
This disables a line for 30 seconds. You can choose any value you consider appropriate for your system. The system default is 20 seconds.
Recording Login Attempts
You can record both successful and unsuccessful login attempts in the file /var/adm/SYSLOG. To record all attempts to log in, place this line in the file /etc/default/login:
SYSLOG=ALL
To record only unsuccessful attempts, place this line in the login file:
SYSLOG=FAIL
A large number of failed logins, especially with the same account name, may indicate that someone is trying to break into that account and thus into the system.
Forcing a Password
To force users who do not have passwords for their accounts to choose their passwords immediately, add this line to the file /etc/default/login:
PASSREQ
Or, insert the following entry instead:
MANDPASS=YES
to prevent users from logging in if they do not already have a password.
Displaying the Last Login Time
Users can help maintain system security by noticing unauthorized use of their accounts. By default, the most recent login date, time, and the name of the terminal line (tty name) or remote host from which the user logged in is displayed on login. This login attempt information is recorded in files, one per user account and with the same name as the account, in the directory /var/adm/lastlog.
Users can stop the last login information from being displayed by having a .hushlogin file in their home directory, but they should be discouraged from doing so. Remind them periodically to look at the information each time they log in for any unusual information.
Next | Prev | Up | Top | Contents | Index