Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 2 Administering User and System Security

Authenticating Users During Login

» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

To gain access to a system and its resources, users are required to log in. By controlling access to the system, you can try to prevent unauthorized users from accessing the system. However, even if unauthorized users do gain access, you can still prevent them from running programs that consume resources and from accessing system data. This section explains what happens during the login process from the time you type your user name to the time you get a shell prompt.

Explanation of the Login Process

The following steps describe the login process. This information shows how important it is to create unique user names and to maintain a password security policy. For more information, refer to login(1).

  1. After the system is installed, the desktop Login Manager displays a login screen. The Common Desktop Environment (CDE) displays a CDE login screen if it is installed.

  2. The init program spawns a getty process, which prompts you for a user name. You enter your user name. The getty program passes the user name to the login program.

  3. The login program searches/etc/passwd for the user name.

    • If the user name exists, login goes to step 4 .

    • If the user name does not exist, then login does the following checks:

      • Prompts for a password (Password: ).

      • If an invalid password is entered, the system displays the Invalid login error message.

      • Updates the /var/adm/btmp file if it exists. The /var/adm/btmp file keeps track of invalid login attempts. See Section  for more information.

      • Exits after three consecutive invalid login attempts.

  4. The login process verifies the /etc/passwd file.

    • If the password field is set, login prompts for a password and goes to step 5.

    • If the password field is not set, the user does not need a password and login goes to step 6 .

  5. The login process compares the password to the encrypted password in /etc/passwd.

    • If the password matches, login goes to step 6.

    • If the password does not match, login displays Invalid login. The login process allows three consecutive login attempts. After the user's third invalid login attempt, login exits.

  6. The login process updates the /var/adm/wtmp file, which keeps track of valid logins. See Section  for more information.

    After a successful login, the user and group IDs, group access list, and working directory are initialized.

  7. The login process then runs the command in the command field of the /etc/passwd file. Typically, the command field is the path name of a shell, such as /bin/ksh, /bin/csh, or /bin/sh. If the command field is empty, the default is /bin/sh.

    The command field does not have to be a shell. See Section  for an example of running another command.

  8. After the shell initialization is complete, the system displays a prompt and waits for user input.

You can have the login process perform further user authentication using the Pluggable Authentication Modules (PAM). For more information, see pam.conf(4) and Section .

Checking the login Tracking Files (btmp and wtmp)

The following files keep a log of logins:

  • The /var/adm/btmp file keeps track of failed logins.

  • The /var/adm/wtmp file keeps track of successful logins.

Use the lastb command to read the /var/adm/btmp file to see if unauthorized users have attempted to log in.

Use the last command to read the/var/adm/wtmp file.

The last and lastb commands display the most recent user information, in descending order.

The wtmp and btmp files tend to grow without bound, so check them regularly. Periodically remove information that is no longer useful to prevent the file from becoming too large. The wtmp and btmp files are not created by the programs that maintain them. If these files are removed, login record keeping is turned off.

A common mistake users make during login is to enter the password, or part of the password at the login prompt. This failed login is recorded in the btmps file and exposes the password or partial password. For this reason, the file protection on the btmps should be set so that it is only readable by administrators.

# chmod 400 /var/adm/btmps

If the security policy requires that past sessions of one user cannot be viewed by another user, then the file protection of the /var/adm/wtmp file may also need to be changed.

See last(1), utmp(4), and wtmp(4) for more information.

The utmp database is a user accounting database managed and synchronized according to /var/adm/utmp by the utmpd command. Application programs can access the utmps database. See utmpd(1M) and utmps(4).

Last Command Examples

This section contains examples of using the last command. The following command lists all of the root sessions and all sessions on the console terminal:

# last root console | more root pts/1 Mon Mar 12 16:22 - 18:04 (01:41) abcdeux console Mon Mar 12 10:13 - 10:19 (00:06) root pts/2 Fri Mar 9 13:51 - 15:12 (01:21) abcdeux console Thu Mar 8 12:21 - 12:22 (00:00) root pts/ta Wed Mar 7 15:38 - 18:13 (02:34)

The following command lists when reboots have occurred:

# last reboot reboot system boot Sun Mar 28 18:06 still logged in reboot system boot Sun Mar 28 17:48 - 18:06 (00:17) reboot system boot Sun Mar 28 17:40 - 17:48 (00:08) reboot system boot Thu Feb 19 18:25 - 17:40 (37+23:15) reboot system boot Mon Feb 16 13:56 - 18:25 (3+04:28)

Checking Who Is Logged In

The who command examines the /etc/utmp file to obtain current user login information. In addition, the who command can list logins, logoffs, reboots, changes to the system clock, and processes spawned by the init process.

Use the who -u command to monitor who is currently logged in. For example:

# who -u aperson console Aug 5 11:28 old 5796 system.home.company.com aperson pts/0 Aug 17 18:11 0:03 24944 system aperson pts/1 Aug 5 11:28 1:14 5840 system

See who(1) for more information.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.