This chapter explains how to log in to the system and use password facilities. Identification and Authentication (I and A) is the security term for all system procedures affecting logging in, changing passwords, and logging out. These procedures have been modified extensively in the trusted system, but these changes do not dramatically affect the way in which users perform their work on the system.
You should become familiar with the security functions and features of trusted Tru64 UNIX so you can learn to recognize any attempted (or successful) unauthorized use of your individual account or to the system in general.
The login procedure on a system running under trusted Tru64 UNIX is
similar to the procedure for nontrusted systems.
This section describes the
general process.
See the
login(1)
reference page for details.
On a trusted system, you are occasionally required to change your password
by using the
passwd
program (see
Section 2.2.3
for a description of the circumstances).
If you try to log in when your password
needs to be changed, the
login
program calls the
passwd
program as part of the login procedure.
You can also call
passwd
directly while you are logged in, as you can on a nontrusted
system.
Section 2.2
and the
passwd(1)
reference page
describe the process.
The following example is a typical login on a trusted system:
login:juanitaPassword:<nonechoed password>
The system then displays the date and time of the last successful and unsuccessful login:
Last successful login for juanita: date and time on tty03 Last unsuccessful login for juanita: date and time on tty03
Always check the successful and unsuccessful login information against your activity on the system. Any discrepancy means that someone has attempted to log in to your account (or did log in to your account). Report this activity immediately to your system administrator or information system security officer (ISSO).
If your password is about to expire, the system displays a warning:
Your password will expire on date and time
The system administrator sets the warning interval on your system.
2.1.1 Authentication Profile
After a successful login, the system assigns the following attributes to your login shell:
User audit control and disposition masks
As you log in, the system stamps your login process with an AUID. The AUID identifies you in the system auditing records so that you can be held accountable for your actions, as described in Section 1.1.3. The audit masks are used to calculate user-specific audit record collection, as set in your authentication profile. The other process identities serve the same purpose as in nontrusted systems.
2.1.2 Other Login Restrictions
An authorized user list can be created for a particular terminal. If such a list exists, your user name must appear in the list or you cannot log in at that terminal. In this case, the system displays the following message:
Not authorized for terminal access--see System Administrator
After a specified number of failed login attempts, the terminal can be disabled. This security precaution protects the system against break-in attempts by limiting the number of times someone can try to log in from a given terminal.
A terminal can also be explicitly locked by the system administrator. If the terminal is disabled or locked, the system displays the following message:
Terminal is disabled -- see Account Administrator
Your account can be disabled after a specified number of failed login attempts. Like disabling a terminal, this security precaution protects the system by limiting the number of times someone can try to guess your password. Your account is also disabled automatically if your password exceeds its lifetime.
Your account can also be explicitly locked by the system administrator. If your account is disabled, the system displays the following message:
Account is disabled -- see Account Administrator
If any of these messages appear when you try to log in, report the occurrence
to your administrative staff.
If the terminal or your account has been disabled,
the system administrator has to enable it again before you can log in.
2.2 Setting Your Password
A trusted Tru64 UNIX system differs from a nontrusted system in the way in which it generates and controls passwords. A number of options can be selected to determine how passwords are created, issued, changed, and revoked. These options control the following items and are discussed in detail in later sections:
Whether you can change your password under any circumstances.
Whether you have previously used a specific password.
Whether you can choose your own password. (Section 2.2.1.)
What type of password the system generates for you if you cannot choose your own. (Section 2.2.1.)
When you are allowed to change your password and when you must change your password. (Section 2.2.3.)
In the trusted system, as in the untrusted system, the
passwd
command changes passwords.
The prompts this command displays and
your interaction with it, however, are different in the trusted system.
If you are not allowed to change your password and you try to run
passwd, the system displays the following message:
Password request denied. Reason: you do not have any password changing options.
In this case, you must contact your system administrator and arrange
to have your password changed.
2.2.1 Choosing Your Own Password
If you are allowed to change your password, your account can be set
up to allow you to select your password or to have the system generate one.
These options determine the dialog the system starts when you invoke
passwd.
First, the system prompts you for your current password:
Old password:
Type in your old password. If you type it correctly, the system displays password change times:
Last successful password change for user: date and time Last unsuccessful password change for user: date and time
Always check these dates and times. Although you might not remember exactly when you last changed your password, you should at least be able to decide if the times are reasonable.
The system administrator can allow you to choose one or more of the following password types for your account:
System-generated random pronounceable syllables
System-generated random characters, including punctuation marks and digits
System-generated random letters
Your own choice
The following example shows the prompt when all possible options are allowed:
Do you want (choose one option only):
1 pronounceable passwords generated for you
2 a string of characters generated for you
3 a string of letters generated for you
4 to pick your password
Select ONE item by number:
If you choose to pick your
own password, the system prompts for the new password twice to avoid mistypings.
2.2.2 Choosing a System-Generated Password
The following example shows the dialog for a system-generated pronounceable password:
Generating random pronounceable password for user. The password, along with the hyphenated version, is shown. Hit <RETURN> or <ENTER> until you like the choice. When you have chosen the password you want, type it in. Note: Type your interupt character or "quit" to abort at any time. Password: saglemot Hyphenation: sag-le-mot Enter password:
The hyphenated version is shown to help you pronounce the password so you can remember it more easily. You do not enter the hyphens. If you do not like the first password, press Return to see another one. When the system generates one that you want, enter it.
If you decide not to change your password, you can enter
quit
or use your interrupt character (typically Ctrl/C).
The system
displays the following message:
Password cannot be changed. Reason: user stopped program.
The system also updates your last unsuccessful password change time.
The dialogue when you select one of the other system-generated password
types is similar.
2.2.3 Understanding Password Aging
The system enforces a minimum change time, expiration time, and lifetime for each password. Passwords cannot be changed until the minimum change time has passed. This prevents you from changing your password and then immediately changing it back so that you do not have to learn a new password. If you try to change your password too soon, the system responds with the following message:
Password cannot be changed. Reason: minimum time between changes has not elapsed.
A password is valid until its expiration time is reached. Once a password has expired, you must change that password before the system allows you to log in again. You will usually see a message at login time if your password is about to expire. You should change it when you see the message. If you are logged out when your password expires, you can change it as part of the login process when you next log in.
If the lifetime passes, the account is disabled.
If you try to log in
to a disabled account, the system displays an appropriate message.
In this
case, you must ask your system administrator to reenable your account, and
you must change your password when you next log in.
2.3 Using the su Command
The
su
command allows
you
to work on the system temporarily under the user ID of another person.
The
su
command starts a new shell process with the
effective and real user and group IDs of
the other user.
In the trusted Tru64 UNIX system, the AUID is not changed
through an
su
transition.
This means
that all actions are accountable to the
user who originally logged in to the system, regardless of the number of
su
transitions, even through root.
See the
su(1)
reference page for details.
The identification and authentication procedure described in the preceding sections is one of the most important security tools the system uses to guard against unauthorized access. Knowing a password and having physical access to a terminal or remote access through the network are all that an unauthorized user needs to gain access to a system.
Once such a user has logged on, he or she can steal data and corrupt the system in subtle ways. The amount of damage a penetrator can do increases as the account accessed has greater power on the system.
Remember, a penetrator's actions can be traced only to your account, and you will be held accountable. It is your responsibility to ensure that your account is not compromised.
Protect your password by following these guidelines:
Never share your password. When you tell someone your password and let them log in to your account, the system loses its ability to hold individual users accountable for their own actions.
Do not write down your password. Many system penetrations occur simply because a user wrote his or her password on a terminal. If a password must be recorded, keep it under lock and key.
Never use an old password again. This increases the probability that someone can guess the password.
Never type a password while someone is watching. It is possible to steal a password simply by watching someone type it. Be especially careful if you are using a workstation in a public area.
If you are allowed to choose your own password, choose your password wisely:
Select passwords that are hard to guess.
Never use an ordinary word or a proper name, your spouse's, child's, or pet's name, your birthday, your address, or a machine name, even if these words are specified backward, permuted in some other way, or have a number added to the front or back.
Always choose a password that contains some numbers or special characters. Always select different passwords for different machines, but never use the name of the machine, even permuted.
Your system administrator can set defaults for your site that perform automatic checks on passwords you specify.
Although these procedures add a small amount of effort to your login,
they help to avoid system compromise.
2.5 Login and Logout Security Tips
In addition to following the password security tips, follow these login and logout guidelines:
Check the system login and logout messages. When you log in, carefully check the reported last login and logout times to make sure they match what you remember as the last time you logged in and out. Make special note of login attempts during the time that you normally do not log in to the system. Report any discrepancies immediately to your system administrator so he or she can analyze the audit trail for the attempted penetration.
Never leave your terminal unattended. Remember, someone who can run a program under your identity can cause great damage. It is much easier for a malicious user to take advantage of an unattended terminal than to coerce you into running a trojan horse program.
Analyze unsuccessful login attempts. Note any login attempts where you thought you entered the correct password but the system reported it as incorrect, especially if you then log in successfully. If the time reported for the last unsuccessful login is not close to the current time, you might have typed your password into a login spoofing program, and someone may now know your password. Either change it immediately (if you are allowed to do so), or arrange with the system administrator to have it changed.
The trusted Tru64 UNIX's mechanisms may be somewhat unfamiliar if you are accustomed to a nontrusted Tru64 UNIX system. If you are a new user, the extra complexity added to satisfy security requirements may create additional confusion.
The following sections provide a guide to common situations that cause
users problems.
Each description of a potential problem and its suggested
solution should give you greater understanding of the security features that
are exhibiting unexpected behavior.
2.6.1 Passwords
The trusted Tru64 UNIX system enforces two modes of password expiration:
A password expires if its expiration time is reached. If your password expires, you must change it or arrange to have it changed (if the system administrator has not given you password change authorization) before logging into the system again. The system will not allow you to log in until your password is successfully changed.
Your password dies if its lifetime is exceeded. In this case, your account is disabled; only the system administrator can reenable your account. You must change your password before using the system again after the system administrator reenables it.
Recall that the system warns you at login time that your password is
about to expire.
In this case, you should use the
passwd
command to change it before you log out.
If your password expires while you
are logged out, the
login
command calls
passwd
during the login process.
See the
login(1)
and
passwd(1)
reference pages and
Chapter 2.
The system also warns you if your password was changed by another user
since you last logged in successfully.
This message is to be expected if you
cannot change your own password and the system administrator has changed it
for you.
If this message appears when you do not expect it, see your system
administrator.
2.6.2 Background Jobs
If you are accessing
the system from a character-mode terminal, the
getty
command
opens the
stdin,
stdout,
and
stderr
file pointers to reference the terminal character device file.
A program that
manages to survive the user's logout can try to access the terminal because
its file descriptors are retained.
This is an open opportunity for login
spoofing programs, because a background program can read the terminal file
descriptor and be given some of the characters that are also requested by
the
getty
and
login
programs for the
new user session.
The Tru64 UNIX system invalidates all terminal file descriptors after
logout.
If a program tries to access the login terminal after logout, the
access fails.
One impact of this feature occurs when you are using
write
to communicate with another user, and that user logs out or
the terminal is disconnected.
The next message that you try to send causes
write
to exit with an error message, because it no longer has access
to the other terminal.
Background jobs can be left running after you have logged out.
If these
jobs attempt to write to a terminal using the
write() system
call after logout, they receive a hangup signal, and the write fails.
The
behavior of the program depends on how it handles that error condition.
2.6.3 Sticky Directories
One of the UNIX permission bits is called the "sticky bit." In older UNIX systems, the sticky bit was set on executable files so that the system retained the program text in the swap area even after there were no active references to the program. This behavior was useful for some earlier computer architectures. On these early systems, the sticky bit for directories had no meaning.
Nontrusted Tru64 UNIX systems, trusted Tru64 UNIX systems, and some other recent UNIX variants use the sticky bit on directories to control a possible security hole.
Many commands use standard directories such as
/tmp
and
/var/tmp
to store temporary files.
These directories
are readable and writable by everyone so that all users can create and remove
their own files in the temporary directories.
Because the directories are
writable, however, users can also remove other users' temporary files, regardless
of the protection on the file itself.
Setting the sticky bit changes the semantics for writable directories. When the sticky bit is set, only the superuser or the owner of a process with the appropriate privilege can remove a file. Other users cannot remove files from such directories.
If you cannot remove a file from a directory to which you have discretionary
write access, check the file's owner and the directory's sticky bit.
The
sticky bit is on if
ls
reports a
t
in
the execute bit for others in a long listing.
For example:
$ls -ld /stickydrwxrwxrwt 11 bin bin 1904 Jan 24 21:56 /sticky
The administrator typically places the sticky bit on all public directories because these directories can be written by any user. These include the following directories:
/tmp
/var/tmp
/var/preserve
Most systems combine the sticky directory approach with a policy of
specifying restrictive
umask
values (for example, 077)
for user accounts.
In this case, temporary files are created as private files,
which prevents users from altering or replacing files in shared directories.
The user can determine only the file's name and attributes.
The trusted Tru64 UNIX system default
umask
is
077.
If unauthorized users try to access such a file, they will be able to
link the file from the temporary directory into a private directory, but will
not be able to read the file even if a private copy can be saved.
Many systems create temporary directories as private file systems that
do not allow links to user directory hierarchies.
2.6.4 SUID/SGID Clearing
Trusted Tru64 UNIX clears the following permission bits whenever it writes a file:
Be sure to restore these attributes when replacing a program.
2.6.5 Access Control Lists
An access control list is a mechanism that can be used to protect files.
Although a file's owner/group/other
permissions as shown by
ls
specify that a process
has access to a file, the file's ACL may not allow the process access.
This
can be true even if the process has the same effective group as the group
of the file.
In the following example, group
proj1
has write access
to the file according to the
ls
display, but user
mario
in group
proj1
does not have write access
according to the ACL.
A process must pass all mandatory and discretionary
checks before access to any object is allowed.
$ls -l file-rw-rw-rw- 1 john proj1 846 Jan 19 14:13 file$getacl file# file:file # owner:john # group:proj1 user::rw- group::rw- user:mario:r-- group:dev:r-- other::rw-$date >filefile: Permission denied
Although the
ls
listing shows that the owning group
has read and write access, the ACL shows that
mario
has
only read access.
2.6.6 If You Cannot Log In
There
are a number of reasons why a login attempt can fail on a trusted Tru64 UNIX
system.
The
login
program usually prints an informative
message.
Mistyping the information required to log in is the most common reason for not being able to log in. When you do this, the system displays the following message and prompts you to enter your user name and your password:
Login incorrect
Try to log in again. The system limits the number of times you can enter an incorrect user name and password combination (see Section 2.1.2). If you exceed this limit, the system disables your account. If you forget your password, see your system administrator.
Most of the other reasons that you might not be able to log in are described in Section 2.1.2. The following list summarizes the reasons and explains what you should do:
The terminal is disabled. See your system administrator, who must unlock the terminal before anyone can log in from it. If the terminal you normally log in from has been disabled, someone might have tried to break into the system from that terminal.
Your name is not on the list of authorized users for the terminal. See your system administrator.
Your account is disabled. See your system administrator to have your account reenabled. Your account might be disabled because you (or someone attempting to break in) have made too many unsuccessful login attempts. The account might also be locked by the system administrator.
Your password has expired. See your system administrator to have your account reenabled. You can change your password during the next log in.
In general, you should see your administrator immediately if your account has been disabled or if anything unexpected happens when you try to log in.