From: Lee, Elizabeth (elizabeth.lee.contractor@fnmoc.navy.mil)
Date: Fri Jun 07 2002 - 13:23:19 EDT
I appreciate the enthusiasm of folks who have pointed me in the direction of
/etc/default/login. However, if you think RETRIES is locking user accounts,
I have some unhappy news for you.
Yes, I already knew about /etc/default/login and the RETRIES parameter.
Failure to successfully login with the RETRIES boundary DOES NOT LOCK THE
ACCOUNT. The login process is killed, another is spawned, and the user may
merrily continue to whack away at the keyboard.
Tru64 locks the account after X number of tries; so does Linux. Careful
perusal of the following man page does not reveal any mention of locking
user accounts! Nor does the attached pam(3) man page.
User Commands login(1)
NAME
login - sign on to the system
SYNOPSIS
login [ -p ] [ -d device ] [ -h hostname [ terminal ] |
-r hostname ] [ name [ environ ... ]]
DESCRIPTION
You use the login command at the beginning of each terminal
session to identify yourself to the system. login is
invoked by the system when a connection is first esta-
blished, after the previous user has terminated the login
shell by issuing the exit command.
If login is invoked as a command, it must replace the ini-
tial command interpreter. To invoke login in this fashion,
type:
exec login
from the initial shell.
login asks for your user name, if it is not supplied as an
argument, and your password, if appropriate. Where possi-
ble, echoing is turned off while you type your password, so
it will not appear on the written record of the session.
If you make any mistake in the login procedure, the message:
Login incorrect
is printed and a new login prompt will appear. If you make
five incorrect login attempts, all five may be logged in
/var/adm/loginlog, if it exists. The TTY line will be
dropped.
If password aging is turned on and the password has "aged"
(see passwd(1) for more information), the user is forced to
changed the password. In this case the /etc/nsswitch.conf
file is consulted to determine password repositories (see
nsswitch.conf(4)). The password update configurations sup-
ported are limited to the following five cases.
o passwd: files
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files nisplus)
passwd_compat: nisplus
Failure to comply with the configurations will prevent the
user from logging onto the system because passwd(1) will
SunOS 5.6 Last change: 18 Apr 1997 1
User Commands login(1)
fail. If you do not complete the login successfully within
a certain period of time, it is likely that you will be
silently disconnected.
After a successful login, accounting files are updated.
Device owner, group, and permissions are set according to
the contents of the /etc/logindevperm file, and the time you
last logged in is printed (see logindevperm(4)).
The user-ID, group-ID, supplementary group list, and working
directory are initialized, and the command interpreter (usu-
ally ksh) is started.
The basic environment is initialized to:
HOME=your-login-directory
LOGNAME=your-login-name
PATH=/usr/bin:
SHELL=last-field-of-passwd-entry
MAIL=/var/mail/your-login-name
TZ=timezone-specification
For Bourne shell and Korn shell logins, the shell executes
/etc/profile and $HOME/.profile, if it exists. For C shell
logins, the shell executes /etc/.login, $HOME/.cshrc, and
$HOME/.login. The default /etc/profile and /etc/.login
files check quotas (see quota(1M)), print /etc/motd, and
check for mail. None of the messages are printed if the
file $HOME/.hushlogin exists. The name of the command
interpreter is set to - (dash), followed by the last com-
ponent of the interpreter's path name, for example, -sh.
If the login-shell field in the password file (see
passwd(4)) is empty, then the default command interpreter,
/usr/bin/sh, is used. If this field is * (asterisk), then
the named directory becomes the root directory. At that
point, login is re-executed at the new level, which must
have its own root structure.
The environment may be expanded or modified by supplying
additional arguments to login, either at execution time or
when login requests your login name. The arguments may take
either the form xxx or xxx=yyy. Arguments without an =
(equal sign) are placed in the environment as:
Ln=xxx
where n is a number starting at 0 and is incremented each
time a new variable name is required. Variables containing
an = (equal sign) are placed in the environment without
modification. If they already appear in the environment,
then they replace the older values.
SunOS 5.6 Last change: 18 Apr 1997 2
User Commands login(1)
There are two exceptions: The variables PATH and SHELL can-
not be changed. This prevents people logged into restricted
shell environments from spawning secondary shells that are
not restricted. login understands simple single-character
quoting conventions. Typing a \ (backslash) in front of a
character quotes it and allows the inclusion of such charac-
ters as spaces and tabs.
Alternatively, you can pass the current environment by sup-
plying the -p flag to login. This flag indicates that all
currently defined environment variables should be passed, if
possible, to the new environment. This option does not
bypass any environment variable restrictions mentioned
above. Environment variables specified on the login line
take precedence, if a variable is passed by both methods.
To enable remote logins by root, edit the /etc/default/login
file by inserting a # (pound sign) before the
CONSOLE=/dev/console entry. See FILES.
SECURITY
login uses pam(3) for authentication, account management,
session management, and password management. The PAM confi-
guration policy, listed through /etc/pam.conf, specifies the
modules to be used for login. Here is a partial pam.conf
file with entries for the login command using the UNIX
authentication, account management, session management, and
password management module.
login auth required /usr/lib/security/pam_unix.so.1
login account required /usr/lib/security/pam_unix.so.1
login session required /usr/lib/security/pam_unix.so.1
login password required /usr/lib/security/pam_unix.so.1
If there are no entries for the login service, then the
entries for the "other" service will be used. If multiple
authentication modules are listed, then the user may be
prompted for multiple passwords.
When login is invoked through rlogind or telnetd, the ser-
vice name used by PAM is rlogin or telnet respectively.
OPTIONS
-d device login accepts a device option, device. device is
taken to be the path name of the TTY port login is
to operate on. The use of the device option can
be expected to improve login performance, since
login will not need to call ttyname(3C). The -d
option is available only to users whose UID and
effective UID are root. Any other attempt to use
-d will cause login to quietly exit.
SunOS 5.6 Last change: 18 Apr 1997 3
User Commands login(1)
-h hostname [ terminal ]
used by in.telnetd(1M) to pass information about
the remote host and terminal type.
-p used to pass environment variables to the login
shell.
-r hostname
used by in.rlogind(1M) to pass information about
the remote host.
EXIT STATUS
0 Successful operation.
non-zero Error.
FILES
$HOME/.cshrc initial commands for each csh
$HOME/.hushlogin suppresses login messages
$HOME/.login user's login commands for csh
$HOME/.profile user's login commands for sh and ksh
$HOME/.rhosts private list of trusted
hostname/username combinations
/etc/.login system-wide csh login commands
/etc/logindevperm login-based device permissions
/etc/motd message-of-the-day
/etc/nologin message displayed to users attempting to
login during machine shutdown
/etc/passwd password file
/etc/profile system-wide sh and ksh login commands
/etc/shadow list of users' encrypted passwords
/usr/bin/sh user's default command interpreter
/var/adm/lastlog time of last login
/var/adm/loginlog record of failed login attempts
/var/adm/utmp accounting
/var/adm/wtmp accounting
/var/mail/your-name mailbox for user your-name
/etc/default/login Default value can be set for the follow-
ing flags in /etc/default/login. For
example: TIMEZONE=EST5EDT
TIMEZONE Sets the TZ environment
variable of the shell
(see environ(5)).
HZ Sets the HZ environment
variable of the shell.
ULIMIT Sets the file size limit
for the login. Units are
disk blocks. Default is
zero (no limit).
CONSOLE If set, root can login on
that device only. This
SunOS 5.6 Last change: 18 Apr 1997 4
User Commands login(1)
will not prevent execu-
tion of remote commands
with rsh(1). Comment out
this line to allow login
by root.
PASSREQ Determines if login
requires a password.
ALTSHELL Determines if login
should set the SHELL
environment variable.
PATH Sets the initial shell
PATH variable.
SUPATH Sets the initial shell
PATH variable for root.
TIMEOUT Sets the number of
seconds (between 0 and
900) to wait before aban-
doning a login session.
UMASK Sets the initial shell
file creation mode mask.
See umask(1).
SYSLOG Determines whether the
syslog(3) LOG_AUTH facil-
ity should be used to log
all root logins at level
LOG_NOTICE and multiple
failed login attempts at
LOG_CRIT.
SLEEPTIME If present, sets the
number of seconds to wait
before login failure is
printed to the screen and
another login attempt is
allowed. Default is 4
seconds. Minimum is 0
seconds. Maximum is 5
seconds.
RETRIES: Sets the number of
retries for logging in
(see pam(3)). The
default is 5.
SYNC_AGED_PASSWORD:
If YES, then if any one
of the user passwords has
aged, then all passwords
should be updated. If
NO, only those passwords
that have aged should be
updated (see pam(3)).
The default is YES.
SunOS 5.6 Last change: 18 Apr 1997 5
User Commands login(1)
ALLOW_AGED_PASSWORD:
If YES, then if any pass-
word ages, but the pass-
word can not be updated,
then the user is still
allowed in. If NO, then
the user would not be
able to login if the
password is not updated
(see pam(3)). The
default is NO.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
__________________________________
| ATTRIBUTE TYPE| ATTRIBUTE VALUE|
| Availability | SUNWcsu |
|_______________|_________________|
SEE ALSO
csh(1), exit(1), ksh(1), mail(1), mailx(1), newgrp(1),
passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), tel-
net(1), umask(1), admintool(1M), in.rlogind(1M),
in.telnetd(1M), logins(1M), quota(1M), su(1M), syslogd(1M),
useradd(1M), userdel(1M), pam(3), rcmd(3N), syslog(3),
ttyname(3C), hosts.equiv(4), logindevperm(4), loginlog(4),
nologin(4), nsswitch.conf(4), pam.conf(4), passwd(4), pro-
file(4), shadow(4), utmp(4), wtmp(4), attributes(5),
environ(5), pam_unix(5), termio(7I)
DIAGNOSTICS
Login incorrect The user name or the password cannot be
matched.
Not on system console
Root login denied. Check the CONSOLE
setting in /etc/default/login.
No directory! Logging in with home=/
The user's home directory named in the
passwd(4) database cannot be found or
has the wrong permissions. Contact your
system administrator.
No shell Cannot execute the shell named in the
passwd(4) database. Contact your system
administrator.