From: Lee, Elizabeth (elizabeth.lee.contractor@fnmoc.navy.mil)
Date: Fri Jun 07 2002 - 13:23:19 EDT
I appreciate the enthusiasm of folks who have pointed me in the direction of
/etc/default/login. However, if you think RETRIES is locking user accounts,
I have some unhappy news for you.
Yes, I already knew about /etc/default/login and the RETRIES parameter.
Failure to successfully login with the RETRIES boundary DOES NOT LOCK THE
ACCOUNT. The login process is killed, another is spawned, and the user may
merrily continue to whack away at the keyboard.
Tru64 locks the account after X number of tries; so does Linux. Careful
perusal of the following man page does not reveal any mention of locking
user accounts! Nor does the attached pam(3) man page.
User Commands login(1)
NAME
login - sign on to the system
SYNOPSIS
login [ -p ] [ -d device ] [ -h hostname [ terminal ] |
-r hostname ] [ name [ environ ... ]]
DESCRIPTION
You use the login command at the beginning of each terminal
session to identify yourself to the system. login is
invoked by the system when a connection is first esta-
blished, after the previous user has terminated the login
shell by issuing the exit command.
If login is invoked as a command, it must replace the ini-
tial command interpreter. To invoke login in this fashion,
type:
exec login
from the initial shell.
login asks for your user name, if it is not supplied as an
argument, and your password, if appropriate. Where possi-
ble, echoing is turned off while you type your password, so
it will not appear on the written record of the session.
If you make any mistake in the login procedure, the message:
Login incorrect
is printed and a new login prompt will appear. If you make
five incorrect login attempts, all five may be logged in
/var/adm/loginlog, if it exists. The TTY line will be
dropped.
If password aging is turned on and the password has "aged"
(see passwd(1) for more information), the user is forced to
changed the password. In this case the /etc/nsswitch.conf
file is consulted to determine password repositories (see
nsswitch.conf(4)). The password update configurations sup-
ported are limited to the following five cases.
o passwd: files
o passwd: files nis
o passwd: files nisplus
o passwd: compat (==> files nis)
o passwd: compat (==> files nisplus)
passwd_compat: nisplus
Failure to comply with the configurations will prevent the
user from logging onto the system because passwd(1) will
SunOS 5.6 Last change: 18 Apr 1997 1
User Commands login(1)
fail. If you do not complete the login successfully within
a certain period of time, it is likely that you will be
silently disconnected.
After a successful login, accounting files are updated.
Device owner, group, and permissions are set according to
the contents of the /etc/logindevperm file, and the time you
last logged in is printed (see logindevperm(4)).
The user-ID, group-ID, supplementary group list, and working
directory are initialized, and the command interpreter (usu-
ally ksh) is started.
The basic environment is initialized to:
HOME=your-login-directory
LOGNAME=your-login-name
PATH=/usr/bin:
SHELL=last-field-of-passwd-entry
MAIL=/var/mail/your-login-name
TZ=timezone-specification
For Bourne shell and Korn shell logins, the shell executes
/etc/profile and $HOME/.profile, if it exists. For C shell
logins, the shell executes /etc/.login, $HOME/.cshrc, and
$HOME/.login. The default /etc/profile and /etc/.login
files check quotas (see quota(1M)), print /etc/motd, and
check for mail. None of the messages are printed if the
file $HOME/.hushlogin exists. The name of the command
interpreter is set to - (dash), followed by the last com-
ponent of the interpreter's path name, for example, -sh.
If the login-shell field in the password file (see
passwd(4)) is empty, then the default command interpreter,
/usr/bin/sh, is used. If this field is * (asterisk), then
the named directory becomes the root directory. At that
point, login is re-executed at the new level, which must
have its own root structure.
The environment may be expanded or modified by supplying
additional arguments to login, either at execution time or
when login requests your login name. The arguments may take
either the form xxx or xxx=yyy. Arguments without an =
(equal sign) are placed in the environment as:
Ln=xxx
where n is a number starting at 0 and is incremented each
time a new variable name is required. Variables containing
an = (equal sign) are placed in the environment without
modification. If they already appear in the environment,
then they replace the older values.
SunOS 5.6 Last change: 18 Apr 1997 2
User Commands login(1)
There are two exceptions: The variables PATH and SHELL can-
not be changed. This prevents people logged into restricted
shell environments from spawning secondary shells that are
not restricted. login understands simple single-character
quoting conventions. Typing a \ (backslash) in front of a
character quotes it and allows the inclusion of such charac-
ters as spaces and tabs.
Alternatively, you can pass the current environment by sup-
plying the -p flag to login. This flag indicates that all
currently defined environment variables should be passed, if
possible, to the new environment. This option does not
bypass any environment variable restrictions mentioned
above. Environment variables specified on the login line
take precedence, if a variable is passed by both methods.
To enable remote logins by root, edit the /etc/default/login
file by inserting a # (pound sign) before the
CONSOLE=/dev/console entry. See FILES.
SECURITY
login uses pam(3) for authentication, account management,
session management, and password management. The PAM confi-
guration policy, listed through /etc/pam.conf, specifies the
modules to be used for login. Here is a partial pam.conf
file with entries for the login command using the UNIX
authentication, account management, session management, and
password management module.
login auth required /usr/lib/security/pam_unix.so.1
login account required /usr/lib/security/pam_unix.so.1
login session required /usr/lib/security/pam_unix.so.1
login password required /usr/lib/security/pam_unix.so.1
If there are no entries for the login service, then the
entries for the "other" service will be used. If multiple
authentication modules are listed, then the user may be
prompted for multiple passwords.
When login is invoked through rlogind or telnetd, the ser-
vice name used by PAM is rlogin or telnet respectively.
OPTIONS
-d device login accepts a device option, device. device is
taken to be the path name of the TTY port login is
to operate on. The use of the device option can
be expected to improve login performance, since
login will not need to call ttyname(3C). The -d
option is available only to users whose UID and
effective UID are root. Any other attempt to use
-d will cause login to quietly exit.
SunOS 5.6 Last change: 18 Apr 1997 3
User Commands login(1)
-h hostname [ terminal ]
used by in.telnetd(1M) to pass information about
the remote host and terminal type.
-p used to pass environment variables to the login
shell.
-r hostname
used by in.rlogind(1M) to pass information about
the remote host.
EXIT STATUS
0 Successful operation.
non-zero Error.
FILES
$HOME/.cshrc initial commands for each csh
$HOME/.hushlogin suppresses login messages
$HOME/.login user's login commands for csh
$HOME/.profile user's login commands for sh and ksh
$HOME/.rhosts private list of trusted
hostname/username combinations
/etc/.login system-wide csh login commands
/etc/logindevperm login-based device permissions
/etc/motd message-of-the-day
/etc/nologin message displayed to users attempting to
login during machine shutdown
/etc/passwd password file
/etc/profile system-wide sh and ksh login commands
/etc/shadow list of users' encrypted passwords
/usr/bin/sh user's default command interpreter
/var/adm/lastlog time of last login
/var/adm/loginlog record of failed login attempts
/var/adm/utmp accounting
/var/adm/wtmp accounting
/var/mail/your-name mailbox for user your-name
/etc/default/login Default value can be set for the follow-
ing flags in /etc/default/login. For
example: TIMEZONE=EST5EDT
TIMEZONE Sets the TZ environment
variable of the shell
(see environ(5)).
HZ Sets the HZ environment
variable of the shell.
ULIMIT Sets the file size limit
for the login. Units are
disk blocks. Default is
zero (no limit).
CONSOLE If set, root can login on
that device only. This
SunOS 5.6 Last change: 18 Apr 1997 4
User Commands login(1)
will not prevent execu-
tion of remote commands
with rsh(1). Comment out
this line to allow login
by root.
PASSREQ Determines if login
requires a password.
ALTSHELL Determines if login
should set the SHELL
environment variable.
PATH Sets the initial shell
PATH variable.
SUPATH Sets the initial shell
PATH variable for root.
TIMEOUT Sets the number of
seconds (between 0 and
900) to wait before aban-
doning a login session.
UMASK Sets the initial shell
file creation mode mask.
See umask(1).
SYSLOG Determines whether the
syslog(3) LOG_AUTH facil-
ity should be used to log
all root logins at level
LOG_NOTICE and multiple
failed login attempts at
LOG_CRIT.
SLEEPTIME If present, sets the
number of seconds to wait
before login failure is
printed to the screen and
another login attempt is
allowed. Default is 4
seconds. Minimum is 0
seconds. Maximum is 5
seconds.
RETRIES: Sets the number of
retries for logging in
(see pam(3)). The
default is 5.
SYNC_AGED_PASSWORD:
If YES, then if any one
of the user passwords has
aged, then all passwords
should be updated. If
NO, only those passwords
that have aged should be
updated (see pam(3)).
The default is YES.
SunOS 5.6 Last change: 18 Apr 1997 5
User Commands login(1)
ALLOW_AGED_PASSWORD:
If YES, then if any pass-
word ages, but the pass-
word can not be updated,
then the user is still
allowed in. If NO, then
the user would not be
able to login if the
password is not updated
(see pam(3)). The
default is NO.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
__________________________________
| ATTRIBUTE TYPE| ATTRIBUTE VALUE|
| Availability | SUNWcsu |
|_______________|_________________|
SEE ALSO
csh(1), exit(1), ksh(1), mail(1), mailx(1), newgrp(1),
passwd(1), rlogin(1), rsh(1), sh(1), shell_builtins(1), tel-
net(1), umask(1), admintool(1M), in.rlogind(1M),
in.telnetd(1M), logins(1M), quota(1M), su(1M), syslogd(1M),
useradd(1M), userdel(1M), pam(3), rcmd(3N), syslog(3),
ttyname(3C), hosts.equiv(4), logindevperm(4), loginlog(4),
nologin(4), nsswitch.conf(4), pam.conf(4), passwd(4), pro-
file(4), shadow(4), utmp(4), wtmp(4), attributes(5),
environ(5), pam_unix(5), termio(7I)
DIAGNOSTICS
Login incorrect The user name or the password cannot be
matched.
Not on system console
Root login denied. Check the CONSOLE
setting in /etc/default/login.
No directory! Logging in with home=/
The user's home directory named in the
passwd(4) database cannot be found or
has the wrong permissions. Contact your
system administrator.
No shell Cannot execute the shell named in the
passwd(4) database. Contact your system
administrator.
NO LOGINS: System going down in _N minutes
SunOS 5.6 Last change: 18 Apr 1997 6
User Commands login(1)
The machine is in the process of being
shut down and logins have been disabled.
WARNINGS
Users with a UID greater than 76695844 are not subject to
password aging, and the system does not record their last
login time.
If you use the CONSOLE setting to disable root logins, you
should arrange that remote command execution by root is also
disabled. See rsh(1), rcmd(3N), and hosts.equiv(4) for
further details.
SunOS 5.6 Last change: 18 Apr 1997 7
C Library Functions pam(3)
NAME
pam - PAM (Pluggable Authentication Module)
SYNOPSIS
#include <security/pam_appl.h>
cc [flag ... ]file ... -l pam [library ... ]
DESCRIPTION
The PAM framework, libpam, consists of an interface library
and multiple authentication service modules. The PAM inter-
face library is the layer implementing the Application Pro-
gramming Interface (API). The authentication service
modules are a set of dynamically loadable objects invoked by
the PAM API to provide a particular type of user authentica-
tion. PAM gives system administrators the flexibility of
choosing any authentication service available on the system
to perform authentication. This framework also allows new
authentication service modules to be plugged in and made
available without modifying the applications.
Interface Overview
The PAM library interface consists of six categories of
functions, the names for which all start with the prefix
pam_.
The first category contains functions for establishing and
terminating an authentication activity, which are
pam_start(3) and pam_end(3). The functions pam_set_data(3)
and pam_get_data(3) maintain module specific data. The
functions pam_set_item(3) and pam_get_item(3) maintain state
information. pam_strerror(3) is the function that returns
error status information.
The second category contains the functions that authenticate
an individual user and set the credentials of the user,
pam_authenticate(3) and pam_setcred(3).
The third category of PAM interfaces is account management.
The function pam_acct_mgmt(3) checks for password aging and
access-hour restrictions.
Category four contains the functions that perform session
management after access to the system has been granted. See
pam_open_session(3) and pam_close_session(3)
The fifth category consists of the function that changes
authentication tokens, pam_chauthtok(3). An authentication
token is the object used to verify the identity of the user.
In UNIX, an authentication token is a user's password.
SunOS 5.6 Last change: 26 Mar 1997 1
C Library Functions pam(3)
The sixth category of functions can be used to set values
for PAM environment variables. See pam_putenv(3),
pam_getenv(3), and pam_getenvlist(3).
The pam_*() interfaces are implemented through the library
libpam. For each of the categories listed above, excluding
categories one and six, dynamically loadable shared modules
exist that provides the appropriate service layer func-
tionality upon demand. The functional entry points in the
service layer start with the pam_sm_ prefix. The only
difference between the pam_sm_*() interfaces and their
corresponding pam_ interfaces is that all the pam_sm_*()
interfaces require extra parameters to pass service-specific
options to the shared modules. Refer to pam_sm(3) for an
overview of the PAM service module APIs.
Stateful Interface
A sequence of calls sharing a common set of state informa-
tion is referred to as an authentication transaction. An
authentication transaction begins with a call to
pam_start(). pam_start() allocates space, performs various
initialization activities, and assigns a PAM authentication
handle to be used for subsequent calls to the library.
After initiating an authentication transaction, applications
can invoke pam_authenticate() to authenticate a particular
user, and pam_acct_mgmt() to perform system entry manage-
ment. For example, the application may want to determine if
the user's password has expired.
If the user has been successfully authenticated, the appli-
cation calls pam_setcred() to set any user credentials asso-
ciated with the authentication service. Within one authen-
tication transaction (between pam_start() and pam_end()),
all calls to the PAM interface should be made with the same
authentication handle returned by pam_start(). This is
necessary because certain service modules may store module-
specific data in a handle that is intended for use by other
modules. For example, during the call to
pam_authenticate(), service modules may store data in the
handle that is intended for use by pam_setcred().
To perform session management, applications call
pam_open_session(). Specifically, the system may want to
store the total time for the session. The function
pam_close_session() closes the current session.
When necessary, applications can call pam_get_item() and
pam_set_item() to access and to update specific authentica-
tion information. Such information may include the current
username.
SunOS 5.6 Last change: 26 Mar 1997 2
C Library Functions pam(3)
To terminate an authentication transaction, the application
simply calls pam_end(), which frees previously allocated
space used to store authentication information.
Application-Authentication Service Interactive Interface
The authentication service in PAM does not communicate
directly with the user; instead it relies on the application
to perform all such interactions. The application passes a
pointer to the function, conv(), along with any associated
application data pointers, through apam_conv structure to
the authentication service when it initiates an authentica-
tion transaction, via a call to pam_start(). The service
will then use the function, conv(), to prompt the user for
data, output error messages, and display text information.
Refer to pam_start(3) for more information.
Stacking Multiple Schemes
The PAM architecture enables authentication by multiple
authentication services through stacking. System entry
applications, such as login(1), stack multiple service
modules to authenticate users with multiple authentication
services. The order in which authentication service modules
are stacked is specified in the configuration file,
pam.conf(4). A system administrator determines this order-
ing, and also determines whether the same password can be
used for all authentication services.
Administrative Interface
The authentication library, /usr/lib/libpam.so.1, implements
the framework interface. Various authentication services
are implemented by their own loadable modules whose paths
are specified through the pam.conf(4) file.
RETURN VALUES
The PAM functions may return one of the following generic
values, or one of the values defined in the specific man
pages:
PAM_SUCCESS The function returned successfully.
PAM_OPEN_ERR dlopen() failed when dynamically loading
a service module.
PAM_SYMBOL_ERR Symbol not found.
PAM_SERVICE_ERR Error in service module.
PAM_SYSTEM_ERR System error.
PAM_BUF_ERR Memory buffer error.
PAM_CONV_ERR Conversation failure.
SunOS 5.6 Last change: 26 Mar 1997 3
C Library Functions pam(3)
PAM_PERM_DENIED Permission denied.
ATTRIBUTES
See attributes(5) for description of the following attri-
butes:
__________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_______________|__________________________|
| MT Level | MT-Safe with exceptions |
|_______________|_________________________ |
SEE ALSO
login(1), pam_authenticate(3), pam_chauthtok(3),
pam_open_session(3), pam_set_item(3), pam_setcred(3),
pam_sm(3), pam_start(3), pam_strerror(3), pam.conf(4),
attributes(5)
WARNING
Please note that all the PAM APIs and their data structures
are subject to change without notice.
NOTES
The interfaces in libpam() are MT-safe only if each thread
within the multi-threaded application uses its own PAM han-
dle.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:26 EDT