This chapter discusses the following topics:
New authentication routines
The support libraries
Using daemons
The user authentication profile in the protected password database for enhanced security
Some brief cautions for handling passwords
Tru64 UNIX preserves all traditional UNIX process user and group identities. Additionally, it provides the per-process audit ID (AUID), which is unique to Tru64 UNIX. The AUID is similar in principle to the real user ID, except that it remains unchanged even in cases where the real user ID changes.
The audit ID is associated with all audit records and establishes the user identity even in those cases where the real and effective user IDs have been changed from their values at login.
The audit ID can be set only once in a line of process descendants,
regardless of any process privileges.
The audit ID is set at login to the
authenticated user (the same as the real and effective user IDs) and is inherited
from parent to child when a process forks using the
fork()
system call.
Programs that are created from startup scripts or that are created as
a
result of
respawn
entries in the
inittab
file are created
with an unset audit ID.
Such programs are normally authentication programs
(getty/login
sequences, window managers, trusted path managers) that set the
AUID based on the user that authenticates through that interface.
Programs started through startup scripts typically receive requests for service on behalf of users and spawn a process to service that request. Such programs typically set the audit ID in the child service process based on the requesting process's effective identity. If you are writing this type of program, you should use the SIA routines. The SIA routines properly set up the user's environment in the child process regardless of the security mechanisms in use on the system.
The
getluid()
and
setluid()
system
calls read and set the
audit ID.
See their reference
pages for details.
The Tru64 UNIX operating system provides several library routines
for managing user and group identities.
For example, the
set_auth_parameters()
routine required for enhanced security routines,
usually called
at the beginning of a program's
main()
routine, stores
the initial user and group IDs that can later be queried or tested by the
other routines.
Several of the enhanced security routines for querying the authentication
database require the program to have previously called
set_auth_parameters()
before changing any of the user or group IDs, or the command arguments
argc
and
argv).
See the
identity(3)
reference page for more information.
Whenever a daemon performs an operation at the request of a user program (the client), it acts in one of two ways:
It can run under its own identities, authorizations, and privileges, making its own decisions about what actions the requesting program may or may not perform. In this case, it does not need to change any of its own user identities.
It can have the underlying operating system enforce operations as if the daemon had the client's security attributes (user IDs, authorizations, and so forth).
In the latter case, the daemon needs to establish a set of security attributes. The preferred technique is to fork a process, set the identities and privileges using SIA, and then either perform the actions directly or execute a program to perform them.
Although the enhanced security
protected password database is intended mainly for Tru64 UNIX programs,
your programs may need to use the fields described in the following list.
(These fields are also described in the
getespwent(3)
and
prpasswd(4)
reference pages, the
prot.h
include file, and the administrative
part of this document.)
User name (u_name) and ID (u_id) These correspond to the user name and ID in
/etc/passwd.
Encrypted password (u_pwd) -- This
is the real encrypted password.
Retired status (u_retired) --
Indicates whether the authentication
profile is valid.
If not valid, login sessions are not allowed.
Once retired,
an account should never again be reused.
Login session priority (u_priority) --
The process priority assigned
to programs of the user login session using
setpriority().
User audit mask (u_auditmask) and control
flags (u_audcntl) --
This mask and its control flags, in conjunction with
the system audit mask, designate the events audited during the login session.
The
login
program assigns a mask to the user's login shell.
Audit masks and the control flags are inherited across
exec()
and
fork()
calls.
See
Chapter 19
and the
auditmask(8)
reference page for more information.
Password parameters -- The following parameters describe the login password and its generation:
Maximum password length in characters (u_maxlen)
Password expiration interval (u_exp)
Minimum password lifetime (u_minchg)
Password lifetime (u_life)
Time and date of last successful password change (u_succhg)
Time and date of last unsuccessful password change attempt
(u_unsucchg)
User who last changed the password (u_pwchanger)
Password generation parameters (u_genpwd)
Login password requirements (u_nullpw) --
This is sometimes called the "null password option" and controls
attempts to set a null password.
Most administrators do not allow this option.
Times during which a user may login (u_tod) --
This field is formated like the UUCP
systems
file.
(The
systems
file describes when a remote system can be contacted for
file transfer.) It determines the valid times for a user to login.
Time and date of last login (u_suclog) --
Expressed as a canonical UNIX time (in seconds since 1970).
Terminal used during last login (u_suctty) --
The terminal name is a cross-reference to the device assignment and terminal
control databases.
Number of unsuccessful login attempts since last login (u_numunsuclog) -- This value is used to compute whether the
terminal is disabled due to too many unsuccessful attempts.
Number of unsuccessful login attempts allowed before disabling
(u_maxtries) -- This value is the user-specific limit
for the number of unsuccessful attempts allowed until the account is disabled.
Lock status (u_lock) --
Whether or not the administrator
has locked the account.
A locked profile cannot be used for login or other
services.
Only an explicit request from the system administrator should unlock
an authentication profile, and only programs that handle such requests should
reset the locked field.
A common programming error is to assume that the lock
indicates all lock conditions.
This indicator only shows the status of the
administrative lock.
An account may also be locked due to a password lifetime
expiration or exceeding the number of unsuccessful attempts allowed for the
account.
Your program can assume that with enhanced security enabled, the user
name and ID in the protected password database is maintained by the system
to have a corresponding entry in the
/etc/passwd
file.
The program named
myexpire
in
Example 18-1
is a program for use with enhanced security that prints the user's password
expiration time as defined in the protected password database.
This program
is part of the authentication protected subsystem and runs in the set group
ID (SGID) mode, setting the GID to
auth.
#include <sys/types.h>
#include <stdio.h>
#include <sys/security.h>
#include <prot.h>
main (argc, argv)
int argc;
char *argv[];
{
struct es_passwd *acct;
time_t expire_time;
time_t expire_date;
/*--- Standard initialization ---*/
set_auth_parameters(argc, argv);
initprivs();
/*--- fetch account information using audit ID ---*/
if ((acct = getespwuid(getluid())) == NULL)
errmsg("Internal error");
/*-- test if personal or system default applies and print --*/
if (acct->uflg->fg_expire)
expire_time = acct->ufld->fd_expire;
else if (acct->sflg->fg_expire)
expire_time = acct->sfld->fd_expire;
else {
audit_db_error(acct); /* audit (externally defined) */
errmsg("No user-specific or system default \
expiration time.");
}
if (!acct->ufld->fg_schange) {
audit_db_error(acct); /* audit (externally defined) */
errmsg("Account does not have successful change time");
}
expire_date = acct->ufld->fd_schange + expire_time;
if (acct->uflg->fg_psw_chg_reqd && \
acct->ufld->fd_psw_chg_reqd) \
expire_date = time((time_t *) NULL);
audit_action(acct->ufld->fd_name, expire_date);
exit(0);
}
Note
The protected password database files are accessible only to processes in the
authgroup. Programs that need to read the protected password database files must set the group ID toauth(see thesetgid(2) reference page). To write this information you must set the UID to 0 or a user ID and have a group ID ofauth.
Tru64 UNIX has been designed so that trusted programs can authenticate their users without specifically asking for passwords. Tru64 UNIX explicitly uses the audit ID for this purpose. Additional password handling is usually not necessary and difficult to handle securely. Appendix D provides an example of a program for password checking.