This chapter explains how to log in to the system and use password facilities. Identification and Authentication (I and A) is the security term for all system procedures affecting logging in, changing passwords, and logging out. These procedures have been modified extensively in the trusted Digital UNIX system, but these changes do not dramatically affect the way in which users perform their work on the system.
You should become familiar with the security functions and features of trusted Digital UNIX so you can learn to recognize any attempted (or successful) unauthorized use of your individual account or to the system in general.
The login procedure
on a system running under trusted Digital UNIX
is similar to the procedure for nontrusted
Digital UNIX systems. This section describes the general process.
See the
login(1)
reference page for details.
On a trusted Digital UNIX system, you are occasionally required to change
your password by using the
passwd
program (see
Section 2.2.3
for a description of the circumstances). If you try to
log in when your password needs to be changed, the
login
program calls the
passwd
program as part of the login procedure.
You can also call
passwd
directly while you are logged in, as
you can on a nontrusted Digital UNIX system.
Section 2.2
and the
passwd(1)
reference page
describe the process.
The following example is a typical login on a trusted system:
login:
juanita
Password:
<nonechoed password>
The system then displays the date and time of the last successful and unsuccessful login:
Last successful login for juanita: date and time on tty03 Last unsuccessful login for juanita: date and time on tty03
Always check the successful and unsuccessful login information against your activity on the system. Any discrepancy means that someone has attempted to log in to your account (or did log in to your account). Report this activity immediately to your information system security officer (ISSO).
If your password is about to expire, the system displays a warning:
Your password will expire on date and time
The ISSO sets the warning interval on your system.
After a successful login, the system assigns the following attributes to your login shell:
As you log in, the system stamps your login process with an AUID. The AUID identifies you in the system auditing records so that you can be held accountable for your actions, as described in Section 1.1.3. The audit masks are used to calculate user-specific audit record collection, as set in your authentication profile. The other process identities serve the same purpose as in nontrusted Digital UNIX systems.
An authorized user list can be created for a particular terminal. If such a list exists, your user name must appear in the list or you cannot log in at that terminal. In this case, the system displays the following message:
Not authorized for terminal access--see System Administrator
After a specified number of failed login attempts, the terminal can be locked. This security precaution protects the system against break-in attempts by limiting the number of times someone can try to log in from a given terminal.
A terminal can also be explicitly locked. If the terminal is locked, the system displays the following message:
Terminal is disabled -- see Account Administrator
Your account can be disabled after a specified number of failed login attempts. Like disabling a terminal, this security precaution protects the system by limiting the number of times someone can try to guess your password. Your account is also disabled automatically if your password exceeds its lifetime.
Your account can be explicitly locked. If your account is disabled, the system displays the following message:
Account is disabled -- see Account Administrator
If any of these messages appear when you try to log in, report the occurrence to your administrative staff. If the terminal or your account has been disabled, the ISSO has to enable it again before you can log in.
A trusted Digital UNIX system differs from a nontrusted system in the way in which it generates and controls passwords. A number of options can be selected to determine how passwords are created, issued, changed, and revoked. These options control the following items and are discussed in detail in later sections:
In the trusted system as in the untrusted system, the
passwd
command changes passwords. The prompts this command displays and your
interaction with it, however, are different in the trusted system.
If you are not allowed to change your password and you try to run
passwd,
the system displays the following message:
Password request denied. Reason: you do not have any password changing options.
In this case, you must contact your ISSO and arrange to have your password changed.
If you are allowed to change your password,
your account can be set up to allow
you to select your password or to have the system generate one.
These options determine the dialog the system starts when you invoke
passwd.
First, the system prompts you for your current password:
Old password:
Type in your old password. If you type it correctly, the system displays password change times:
Last successful password change for user: date and time Last unsuccessful password change for user: date and time
Always check these dates and times. Although you might not remember exactly when you last changed your password, you should at least be able to decide if the times are reasonable.
The ISSO can allow you to choose one or more of the following password types for your account:
The following example shows the prompt when all possible options are allowed:
Do you want (choose one letter only):
pronounceable passwords generated for you (g) ?
a string of characters generated (c) ?
a string of letters generated (l) ?
to pick your password (p) ?
Enter choice here:
If you enter
p,
the system prompts for the new password twice to avoid mistypings.
The following example shows the dialog for a system-generated pronounceable password:
Generating random pronounceable password for user. The password, along with the hyphenated version, is shown. Hit <RETURN> or <ENTER> until you like the choice. When you have chosen the password you want, type it in. Note: Type "quit" to abort at any time.
Password: saglemot Hyphenation: sag-le-mot Enter password:
The hyphenated version is shown to help you pronounce the password so you can remember it more easily. You do not enter the hyphens. If you do not like the first password, press Return to see another one. When the system generates one that you want, enter it.
If you decide not to change your password, you can enter
quit
or use your interrupt character (typically Ctrl/C).
The system displays the following message:
Password cannot be changed. Reason: user stopped program.
The system also updates your last unsuccessful password change time.
The dialogue when you select one of the other system-generated password types is similar.
The system enforces a minimum change time, expiration time, and lifetime for each password. Passwords cannot be changed until the minimum change time has passed. This prevents you from changing your password and then immediately changing it back so that you do not have to learn a new password. If you try to change your password too soon, the system responds with the following message:
Password cannot be changed. Reason: minimum time between changes has not elapsed.
A password is valid until its expiration time is reached. Once a password has expired, you must change that password before the system allows you to log in again. You will usually see a message at login time if your password is about to expire. You should change it when you see the message. If you are logged out when your password expires, you can change it as part of the login process when you next log in.
If the lifetime passes, the account is disabled. If you try to log in to a disabled account, the system displays an appropriate message. In this case, you must ask your ISSO to unlock your account, and you must change your password when you next log in.
The
su
command allows
you to work on the system temporarily under the user
ID of another person.
The
su
command
starts a new shell process with the
effective and real user and
group IDs of the other user. In the trusted Digital UNIX system,
the AUID is not changed through an
su
transition. This means
that all actions are accountable to
the user who originally logged in to the
system, regardless of the number of
su
transitions, even through
root.
See the
su(1)
reference page for details.
The identification and authentication procedure described in the preceding sections is one of the most important security tools the system uses to guard against unauthorized access. Knowing a password and having physical access to a terminal are all that an unauthorized user needs to gain access to a system.
Once such a user has logged on, he or she can steal data and corrupt the system in subtle ways. The amount of damage a penetrator can do increases as the account accessed has greater power on the system.
Remember, a penetrator's actions can be traced only to your account, and you will be held accountable. It is your responsibility to ensure that your account is not compromised.
Protect your password by following these guidelines:
When you tell someone your password and let them log in to your account, the system loses its ability to hold individual users accountable for their own actions.
Many system penetrations occur simply because a user wrote his or her password on a terminal. If a password must be recorded, keep it under lock and key.
This increases the probability that someone can guess the password.
It is possible to steal a password simply by watching someone type it. Be especially careful if you are using a workstation in a public area.
Your ISSO can set defaults for your site that perform automatic checks on passwords you specify.
Although these procedures add a small amount of effort to your login, they help to avoid system compromise.
In addition to following the password security tips, follow these login and logout guidelines:
When you log in, carefully check the reported last login and logout times to make sure they match what you remember as the last time you logged in and out. Make special note of login attempts during the time that you normally do not log in to the system. Report any discrepancies immediately to your ISSO so he or she can analyze the audit trail for the attempted penetration.
Remember, someone who can run a program under your identity can cause great damage. It is much easier for a malicious user to take advantage of an unattended terminal than to coerce you into running a trojan horse program.
Note any login attempts where you thought you entered the correct password but the system reported it as incorrect, especially if you then log in successfully. If the time reported for the last unsuccessful login is not close to the current time, you might have typed your password into a login spoofing program, and someone may now know your password. Either change it immediately (if you are allowed to do so), or arrange with the ISSO to have it changed.
The trusted Digital UNIX's mechanisms may be somewhat unfamiliar if you are accustomed to a nontrusted Digital UNIX system. If you are a new user, the extra complexity added to satisfy security requirements may create additional confusion.
The following sections provide a guide to common situations that cause users problems. Each description of a potential problem and its suggested solution should give you greater understanding of the security features that are exhibiting unexpected behavior.
The trusted Digital UNIX system enforces two modes of password expiration:
Recall that the system warns you at login time that
your password is about to expire. In this case, you
should use the
passwd
command to change it before you log out.
If your password
expires while you are logged out, the
login
command calls
passwd
during the login process. See
the
login(1)
and
passwd(1)
reference pages and
Chapter 2.
The system also warns you if your password was changed by another user since you last logged in successfully. This message is to be expected if you cannot change your own password and the ISSO has changed it for you. If this message appears when you do not expect it, see your ISSO.
If you are accessing the system from a character-mode terminal,
the
getty
command opens the
stdin,
stdout,
and
stderr
file
pointers to reference the terminal character device file.
Programs that manage to survive the user's logout can still
access the terminal because its file descriptors are
retained. This is an open opportunity for login spoofing
programs, because a background program can read the terminal
file descriptor and it will be given some of the characters
that are also requested by the
getty
and
login
programs for the new user session.
The Digital UNIX system invalidates all terminal
file descriptors after logout. If a program tries to access
the login terminal after logout, the access fails. One
impact of this feature occurs when you are using
write
to communicate with another user, and that user logs out
or the terminal is disconnected. The next message that you
try to send causes
write
to exit with an error message,
because it no longer has access to the other terminal.
Background jobs can be left running after you have logged out. If these
jobs attempt to write to a terminal using the
write()
system
call after logout, they receive a hangup signal, and
the write fails. The behavior of the program depends
on how it handles that error condition.
One of the UNIX permission bits is called the "sticky bit." In older UNIX systems, the sticky bit was set on executable files so that the system retained the program text in the swap area even after there were no active references to the program. This behavior was useful for some earlier computer architectures. On these early systems, the sticky bit for directories had no meaning.
Nontrusted Digital UNIX systems, trusted Digital UNIX systems, and some other recent UNIX variants use the sticky bit on directories to control a possible security hole.
Many commands use standard directories such as
/tmp
and
/var/tmp
to store temporary files. These
directories are readable
and writable by everyone so that all users can create and remove
their own files in the temporary directories.
Because the directories are writable, however, users can also
remove other users' temporary files, regardless of the protection on
the file itself.
Setting the sticky bit changes the semantics for writable directories. When the sticky bit is set, only the superuser or the owner of a process with the appropriate privilege can remove a file. Other users cannot remove files from such directories.
If you cannot remove a file from a directory to which you have
discretionary write access, check the file's owner and the directory's
sticky bit. The sticky bit is on if
ls
reports a t
in the execute bit for others in a long listing. For example:
$
ls -ld /sticky
drwxrwxrwt 11 bin bin 1904 Jan 24 21:56 /sticky
The administrator typically places the sticky bit on all public directories because these directories can be written by any user. These include the following directories:
/tmp
/var/tmp
/var/preserve
Most systems combine the sticky directory approach
with a policy of specifying restrictive umask values
(for example, 077) for user accounts. In this case, temporary
files are created as private files, which prevents users from
altering or replacing files in shared directories. The user
can determine only the file's name and attributes.
The
trusted Digital UNIX system default umask is 077.
If unauthorized users
try to access such a file, they will only be able to
link the file from the temporary directory into a private
directory, but will not be able to read the file even if a
private copy can be saved.
Many systems create temporary directories as private file systems that do not allow links to user directory hierarchies.
Trusted Digital UNIX clears the following permission bits whenever it writes a file:
Be sure to restore these attributes when replacing a program.
There are a number of reasons why a login attempt can fail on a
trusted Digital UNIX system. The
login
program usually prints an informative
message.
Mistyping the information required to log in is the most common reason for not being able to log in. When you do this, the system displays the following message and prompts you to enter your user name and your password:
Login incorrect
Try to log in again. The system limits the number of times you can enter an incorrect user name and password combination (see Section 2.1.2). If you exceed this limit, the system disables your account. If you forget your password, see your ISSO.
Most of the other reasons that you might not be able to log in are described in Section 2.1.2. The following list summarizes the reasons and explains what you should do:
In general, you should see your ISSO immediately if your account has been disabled or if anything unexpected happens when you try to log in.