How to Temporarily Disable User Logins
Become superuser or assume an equivalent role.
Create the /etc/nologin file by using an editor.
# vi /etc/nologin
Include a message about system availability.
Close and save the file.
Example--Disabling User Logins
This example shows how to notify users of system unavailability.
# vi /etc/nologin (Add system message here) # cat /etc/nologin ***No logins permitted.*** ***The system will be unavailable until 12 noon.*** |
Saving Failed Login Attempts
You can save failed login attempts by creating the /var/adm/loginlog file with read and write permission for root only. After you create the loginlog file, all failed login activity will be automatically written to this file after five failed attempts. For detailed instructions, see "How to Save Failed Login Attempts".
The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, none of the attempts are logged.
The loginlog file might grow quickly. To use the information in this file and to prevent the file from getting too large, you must check and clear its contents occasionally. If this file shows a lot of activity, it might suggest an attempt to break into the computer system. For more information about this file, see the loginlog(4) man page.
How to Save Failed Login Attempts
Create the loginlog file in the /var/adm directory.
# touch /var/adm/loginlog
Set read and write permissions for root on the loginlog file.
# chmod 600 /var/adm/loginlog
Change group membership to sys on the loginlog file.
# chgrp sys /var/adm/loginlog
Make sure that the log works by attempting to log into the system five times with the wrong password. Then, display the /var/adm/loginlog file.
# more /var/adm/loginlog rimmer:/dev/pts/1:Wed Jan 16 09:22:31 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:39 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:45 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:53 2002 rimmer:/dev/pts/1:Wed Jan 16 09:23:01 2002 #
Password Protection Using Dial-up Passwords
You can add a layer of security to your password protection by requiring a dial-up password for users who access a system through a modem or dial-up port. A dial-up password is an additional password that a user must enter before being granted access to the system.
Only superuser can create or change a dial-up password. To ensure the integrity of the system, the password should be changed about once a month. The most effective use of this feature is to require a dial-up password to gain access to a gateway system.
Two files are involved in creating a dial-up password, /etc/dialups and /etc/d_passwd. The first file contains a list of ports that require a dial-up password. The second file contains a list of shell programs that require an encrypted password as the additional dial-up password.
If the user's login program (as specified in /etc/passwd) is not found in /etc/d_passwd, or if the login shell field in /etc/passwd is null, the password entry for /usr/bin/sh is used.
If the user's login shell in /etc/passwd matches an entry in /etc/d_passwd, the user must supply a dial-up password.
If the user's login shell in /etc/passwd is not found in /etc/d_passwd, the user must supply the default password. The default password is the entry for /usr/bin/sh.
If the login shell field in /etc/passwd is empty, the user must supply the default password (the entry for /usr/bin/sh).
If /etc/d_passwd has no entry for /usr/bin/sh, then those users whose login shell field in /etc/passwd is empty or does not match any entry in /etc/d_passwd will not be prompted for a dial-up password.
Dial-up logins are disabled if /etc/d_passwd has only the following entry: /usr/bin/sh:*:
How to Create a Dial-up Password
Caution - When you first establish a dial-up password, be sure to remain
logged in on at least one port while you are testing the password on a different
port. If you make a mistake while you are installing the extra password and
log off to test the new password, you might not be able to log back on. If
you are still logged in on another port, you can go back and fix your mistake.
Become superuser or assume an equivalent role.
Create an /etc/dialups file that contains a list of serial devices, including all the ports that will require dial-up password protection.
The /etc/dialups file should look like the following:
/dev/term/a /dev/term/b /dev/term/c
Create an /etc/d_passwd file that contains the login programs that will require a dial-up password, and the encrypted dial-up password.
Include shell programs that a user could be running at login, for example, uucico, sh, ksh, and csh. The /etc/d_passwd file should look like the following:
/usr/lib/uucp/uucico:encrypted-password: /usr/bin/csh:encrypted-password: /usr/bin/ksh:encrypted-password: /usr/bin/sh:encrypted-password:
Set ownership to root on the two files.
# chown root /etc/dialups /etc/d_passwd
Set group ownership to root on the two files.
# chgrp root /etc/dialups /etc/d_passwd
Set read and write permissions for root on the two files.
# chmod 600 /etc/dialups /etc/d_passwd
Create the encrypted passwords.
Create a temporary user.
# useradd username
Create a password for the temporary user.
# passwd username
Capture the encrypted password.
# grep username /etc/shadow > username.temp
Edit the username.temp file.
Delete all fields except the encrypted password (the second field).
For example, in the following line, the encrypted password is U9gp9SyA/JlSk.
temp:U9gp9SyA/JlSk:7967:::::7988:
Delete the temporary user.
# userdel username
Copy the encrypted password from username.temp file into the /etc/d_passwd file.
You can create a different password for each login shell, or use the same password for each login shell.