![[Return to Library]](BOOKSHELF.GIF)
![[Contents]](TOC.GIF)
![[Previous Chapter]](REW.GIF)
![[Next Section]](NEXT.GIF)
![[Next Chapter]](FF.GIF)
![[Index]](INDEX.GIF)
![[Help]](HELP.GIF)
This chapter explains how to log in to the system and use password facilities. Identification and Authentication (I and A) is the security term for all system procedures affecting logging in, changing passwords, and logging out. These procedures have been modified extensively in the trusted Digital UNIX system, but these changes do not dramatically affect the way in which users perform their work on the system.
You should become familiar with the security functions and features of trusted Digital UNIX so you can learn to recognize any attempted (or successful) unauthorized use of your individual account or to the system in general.
The login procedure on a system running under trusted Digital UNIX is similar to the procedure for nontrusted Digital UNIX systems. This section describes the general process. See the login(1) reference page for details.
On a trusted Digital UNIX system, you are occasionally required to change your password by using the passwd program (see Section 2.2.3 for a description of the circumstances). If you try to log in when your password needs to be changed, the login program calls the passwd program as part of the login procedure. You can also call passwd directly while you are logged in, as you can on a nontrusted Digital UNIX system. Section 2.2 and the passwd(1) reference page describe the process.
The following example is a typical login on a trusted system:
login:
juanita
Password:
<nonechoed password>
The system then displays the date and time of the last successful and unsuccessful login:
Last successful login for juanita: date and time on tty03 Last unsuccessful login for juanita: date and time on tty03
Always check the successful and unsuccessful login information against your activity on the system. Any discrepancy means that someone has attempted to log in to your account (or did log in to your account). Report this activity immediately to your information system security officer (ISSO).
If your password is about to expire, the system displays a warning:
Your password will expire on date and time
The ISSO sets the warning interval on your system.
![[Previous Section]](PREV.GIF)
After a successful login, the system assigns the following attributes to your login shell:
As you log in, the system stamps your login process with an AUID. The AUID identifies you in the system auditing records so that you can be held accountable for your actions, as described in Section 1.1.3. The audit masks are used to calculate user-specific audit record collection, as set in your authentication profile. The other process identities serve the same purpose as in nontrusted Digital UNIX systems.
An authorized user list can be created for a particular terminal. If such a list exists, your user name must appear in the list or you cannot log in at that terminal. In this case, the system displays the following message:
Not authorized for terminal access--see System Administrator
After a specified number of failed login attempts, the terminal can be locked. This security precaution protects the system against break-in attempts by limiting the number of times someone can try to log in from a given terminal.
A terminal can also be explicitly locked. If the terminal is locked, the system displays the following message:
Terminal is disabled -- see Account Administrator
Your account can be disabled after a specified number of failed login attempts. Like disabling a terminal, this security precaution protects the system by limiting the number of times someone can try to guess your password. Your account is also disabled automatically if your password exceeds its lifetime.
Your account can be explicitly locked. If your account is disabled, the system displays the following message:
Account is disabled -- see Account Administrator
If any of these messages appear when you try to log in, report the occurrence to your administrative staff. If the terminal or your account has been disabled, the ISSO has to enable it again before you can log in.
A trusted Digital UNIX system differs from a nontrusted system in the way in which it generates and controls passwords. A number of options can be selected to determine how passwords are created, issued, changed, and revoked. These options control the following items and are discussed in detail in later sections:
In the trusted system as in the untrusted system, the passwd command changes passwords. The prompts this command displays and your interaction with it, however, are different in the trusted system.
If you are not allowed to change your password and you try to run passwd, the system displays the following message:
Password request denied. Reason: you do not have any password changing options.
In this case, you must contact your ISSO and arrange to have your password changed.
If you are allowed to change your password, your account can be set up to allow you to select your password or to have the system generate one. These options determine the dialog the system starts when you invoke passwd. First, the system prompts you for your current password:
Old password:
Type in your old password. If you type it correctly, the system displays password change times:
Last successful password change for user: date and time Last unsuccessful password change for user: date and time
Always check these dates and times. Although you might not remember exactly when you last changed your password, you should at least be able to decide if the times are reasonable.
The ISSO can allow you to choose one or more of the following password types for your account:
The following example shows the prompt when all possible options are allowed:
Do you want (choose one letter only):
pronounceable passwords generated for you (g) ?
a string of characters generated (c) ?
a string of letters generated (l) ?
to pick your password (p) ?
Enter choice here:
If you enter p, the system prompts for the new password twice to avoid mistypings.
The following example shows the dialog for a system-generated pronounceable password:
Generating random pronounceable password for user. The password, along with the hyphenated version, is shown. Hit <RETURN> or <ENTER> until you like the choice. When you have chosen the password you want, type it in. Note: Type "quit" to abort at any time.
Password: saglemot Hyphenation: sag-le-mot Enter password:
The hyphenated version is shown to help you pronounce the password so you can remember it more easily. You do not enter the hyphens. If you do not like the first password, press Return to see another one. When the system generates one that you want, enter it.
If you decide not to change your password, you can enter quit or use your interrupt character (typically Ctrl/C). The system displays the following message:
Password cannot be changed. Reason: user stopped program.
The system also updates your last unsuccessful password change time.
The dialogue when you select one of the other system-generated password types is similar.
The system enforces a minimum change time, expiration time, and lifetime for each password. Passwords cannot be changed until the minimum change time has passed. This prevents you from changing your password and then immediately changing it back so that you do not have to learn a new password. If you try to change your password too soon, the system responds with the following message:
Password cannot be changed. Reason: minimum time between changes has not elapsed.
A password is valid until its expiration time is reached. Once a password has expired, you must change that password before the system allows you to log in again. You will usually see a message at login time if your password is about to expire. You should change it when you see the message. If you are logged out when your password expires, you can change it as part of the login process when you next log in.
If the lifetime passes, the account is disabled. If you try to log in to a disabled account, the system displays an appropriate message. In this case, you must ask your ISSO to unlock your account, and you must change your password when you next log in.
The su command allows you to work on the system temporarily under the user ID of another person. The su command starts a new shell process with the effective and real user and group IDs of the other user. In the trusted Digital UNIX system, the AUID is not changed through an su transition. This means that all actions are accountable to the user who originally logged in to the system, regardless of the number of su transitions, even through root.
See the su(1) reference page for details.
The identification and authentication procedure described in the preceding sections is one of the most important security tools the system uses to guard against unauthorized access. Knowing a password and having physical access to a terminal are all that an unauthorized user needs to gain access to a system.
Once such a user has logged on, he or she can steal data and corrupt the system in subtle ways. The amount of damage a penetrator can do increases as the account accessed has greater power on the system.
Remember, a penetrator's actions can be traced only to your account, and you will be held accountable. It is your responsibility to ensure that your account is not compromised.
Protect your password by following these guidelines:
When you tell someone your password and let them log in to your account, the system loses its ability to hold individual users accountable for their own actions.
Many system penetrations occur simply because a user wrote his or her password on a terminal. If a password must be recorded, keep it under lock and key.
This increases the probability that someone can guess the password.
It is possible to steal a password simply by watching someone type it. Be especially careful if you are using a workstation in a public area.
Your ISSO can set defaults for your site that perform automatic checks on passwords you specify.
Although these procedures add a small amount of effort to your login, they help to avoid system compromise.
In addition to following the password security tips, follow these login and logout guidelines:
When you log in, carefully check the reported last login and logout times to make sure they match what you remember as the last time you logged in and out. Make special note of login attempts during the time that you normally do not log in to the system. Report any discrepancies immediately to your ISSO so he or she can analyze the audit trail for the attempted penetration.
Remember, someone who can run a program under your identity can cause great damage. It is much easier for a malicious user to take advantage of an unattended terminal than to coerce you into running a trojan horse program.
Note any login attempts where you thought you entered the correct password but the system reported it as incorrect, especially if you then log in successfully. If the time reported for the last unsuccessful login is not close to the current time, you might have typed your password into a login spoofing program, and someone may now know your password. Either change it immediately (if you are allowed to do so), or arrange with the ISSO to have it changed.
The trusted Digital UNIX's mechanisms may be somewhat unfamiliar if you are accustomed to a nontrusted Digital UNIX system. If you are a new user, the extra complexity added to satisfy security requirements may create additional confusion.
The following sections provide a guide to common situations that cause users problems. Each description of a potential problem and its suggested solution should give you greater understanding of the security features that are exhibiting unexpected behavior.
The trusted Digital UNIX system enforces two modes of password expiration:
Recall that the system warns you at login time that your password is about to expire. In this case, you should use the passwd command to change it before you log out. If your password expires while you are logged out, the login command calls passwd during the login process. See the login(1) and passwd(1) reference pages and Chapter 2.
The system also warns you if your password was changed by another user since you last logged in successfully. This message is to be expected if you cannot change your own password and the ISSO has changed it for you. If this message appears when you do not expect it, see your ISSO.
If you are accessing the system from a character-mode terminal, the getty command opens the stdin, stdout, and stderr file pointers to reference the terminal character device file. Programs that manage to survive the user's logout can still access the terminal because its file descriptors are retained. This is an open opportunity for login spoofing programs, because a background program can read the terminal file descriptor and it will be given some of the characters that are also requested by the getty and login programs for the new user session.
The Digital UNIX system invalidates all terminal file descriptors after logout. If a program tries to access the login terminal after logout, the access fails. One impact of this feature occurs when you are using write to communicate with another user, and that user logs out or the terminal is disconnected. The next message that you try to send causes write to exit with an error message, because it no longer has access to the other terminal.
Background jobs can be left running after you have logged out. If these jobs attempt to write to a terminal using the write() system call after logout, they receive a hangup signal, and the write fails. The behavior of the program depends on how it handles that error condition.
One of the UNIX permission bits is called the "sticky bit." In older UNIX systems, the sticky bit was set on executable files so that the system retained the program text in the swap area even after there were no active references to the program. This behavior was useful for some earlier computer architectures. On these early systems, the sticky bit for directories had no meaning.
Nontrusted Digital UNIX systems, trusted Digital UNIX systems, and some other recent UNIX variants use the sticky bit on directories to control a possible security hole.
Many commands use standard directories such as /tmp and /var/tmp to store temporary files. These directories are readable and writable by everyone so that all users can create and remove their own files in the temporary directories. Because the directories are writable, however, users can also remove other users' temporary files, regardless of the protection on the file itself.
Setting the sticky bit changes the semantics for writable directories. When the sticky bit is set, only the superuser or the owner of a process with the appropriate privilege can remove a file. Other users cannot remove files from such directories.
If you cannot remove a file from a directory to which you have discretionary write access, check the file's owner and the directory's sticky bit. The sticky bit is on if ls reports a t in the execute bit for others in a long listing. For example:
$
ls -ld /sticky
drwxrwxrwt 11 bin bin 1904 Jan 24 21:56 /sticky
The administrator typically places the sticky bit on all public directories because these directories can be written by any user. These include the following directories:
Most systems combine the sticky directory approach with a policy of specifying restrictive umask values (for example, 077) for user accounts. In this case, temporary files are created as private files, which prevents users from altering or replacing files in shared directories. The user can determine only the file's name and attributes.
The trusted Digital UNIX system default umask is 077. If unauthorized users try to access such a file, they will only be able to link the file from the temporary directory into a private directory, but will not be able to read the file even if a private copy can be saved.
Many systems create temporary directories as private file systems that do not allow links to user directory hierarchies.
Trusted Digital UNIX clears the following permission bits whenever it writes a file:
Be sure to restore these attributes when replacing a program.
There are a number of reasons why a login attempt can fail on a trusted Digital UNIX system. The login program usually prints an informative message.
Mistyping the information required to log in is the most common reason for not being able to log in. When you do this, the system displays the following message and prompts you to enter your user name and your password:
Login incorrect
Try to log in again. The system limits the number of times you can enter an incorrect user name and password combination (see Section 2.1.2). If you exceed this limit, the system disables your account. If you forget your password, see your ISSO.
Most of the other reasons that you might not be able to log in are described in Section 2.1.2. The following list summarizes the reasons and explains what you should do:
In general, you should see your ISSO immediately if your account has been disabled or if anything unexpected happens when you try to log in.