Previous Table of Contents Next

Authentication and Authorization

Authentication is a way to restrict access to specific users when accessing a remote system. You can set authentication up at both the system and the network level. Once a user gains access to a remote system, authorization is a way to restrict operations that the user can perform on the remote system.

The types of authentication and authorization that can help protect your systems on the network against unauthorized use are listed in Table 18-10.

Table 18-10 Types of Authentication and Authorization

Type Description
NIS+ The NIS+ name service can provide both authentication and authorization at the network level.
Remote login programs The remote login programs (rlogin, rcp) enable users to log into a remote system over the network and use its resources. If you are a trusted host, authentication is automatic; otherwise, you are asked to authenticate yourself.
Secure RPC Secure RPC improves the security of network environments by authenticating users who make requests on remote systems. You can use either the UNIX, DES, or Kerberos authentication system for Secure RPC.
DES Encryption The Data Encryption Standard (DES) encryption functions use a 56-bit key to encrypt a secret key. Although DES is an encryption algorithm, it may be used as part of data authentication.
Diffie-Hellman Authentication This authentication method is based on the capability of the sending system to use the common key to encrypt the current time, which the receiving system can decrypt and check against its current time.
Kerberos Version 4 Used to authenticate a user when logging in to the system.
Solstice AdminSuite The Solstice AdminSuite product provides authentication and authorization mechanisms to remotely manage systems with the AdminSuite tools.

Monitoring Login Security Information

The following sections describe how to monitor login information in the following ways:

  Display a user's login status.
  Temporarily disable user logins.
  Save failed login attempts.

Displaying a User's Login Status

Use the logins command to display the status of users who are logged in. Using the logins command with no arguments displays a list of all user and system login accounts. Use the options listed in Table 18-11 to control the output displayed by the logins command.

Table 18-11 Options to the logins Command

Option Description
-a Add two password expiration fields to the display. The fields show how many days a password can remain unused before it automatically becomes inactive as well as the
date that the password expires.
-d List logins with duplicate UIDs.
-m Display multiple group membership information.
-o Format the output into one line of colon-separated fields.
-p Display logins with no passwords.
-s Display all system logins.
-t Sort output by login name instead of by UID.
-u Display all user logins.
-x Print an extended set of information about each specified user. The extended information displays the home directory, login shell, and password aging information, each on a separate line. The password information includes password status (PS for password, NO for no password, or LK for locked). If the login is passworded, status is followed by the date the password was last changed, the number of days required between changes, and the number of days allowed before a change is required. The password aging information shows the time interval during which the user will receive a password expiration warning message at logon before the password expires.
-g group Lists all users belonging to the group, sorted by login. You can specify multiple groups as a comma-separated list.
-l login Lists the requested login. You can specify multiple logins as a comma-separated list. Depending on the name service lookup types set in /etc/nsswitch.conf, the information can come from the /etc/passwd and /etc/shadow files and other name services.

The logins command uses the following syntax:

/usr/bin/logins [-admopstux] [-g <group1>,<group2>…]

You can group options together. When you group options, any login that matches any criteria is displayed. When you combine the –l and –g options, a user is listed only once, even if the user belongs to more than one of the specified groups.

NOTE:  You must be superuser to run the logins command.

Previous Table of Contents Next