home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 3.2 Passwords Chapter 3
Users and Passwords
Next: 3.4 Changing Your Password
 

3.3 Entering Your Password

Telling the computer your password is the way that you prove to the computer that you are you. In classical security parlance, your password is what the computer uses to authenticate your identity (two words that have a lot of significance to security gurus, but generally mean the same thing that they do to ordinary people).

When you log in, you tell the computer who you are by typing your username at the login prompt. You then type your password (in response to the password prompt) to prove that you are who you claim to be. For example:

login: sarah
password: 
tuna4fis

As we mentioned above, UNIX does not display your password when you type it.

If the password that you supply with your username corresponds to the one on file, UNIX logs you in and gives you full access to all of your files, commands, and devices. If either the password or the username does not match, UNIX does not log you in.

On some versions of UNIX , if somebody tries to log into your account and supplies an invalid password several times in succession, your account will be locked. A locked account can be unlocked only by the system administrator. Locking has two functions:

  1. It protects the system from someone who persists in trying to guess a password; before they can guess the correct password, the account is shut down.

  2. It notifies you that someone has been trying to break into your account.

If you find yourself locked out of your account, you should contact your system administrator and get your password changed to something new. Don't change your password back to what it was before you were locked out.

NOTE: The automatic lockout feature can prevent unauthorized use, but it can also be used to conduct denial of service attacks, or by an attacker to lock selected users out of the system so as to prevent discovery of his actions. A practical joker can use it to annoy fellow employees or students. And you can lock yourself out if you try to log in too many times before you've had your morning coffee. In our experience, indefinite automatic lockouts aren't particularly helpful. A much better method is to employ an increasing delay mechanism in the login. After a fixed number of unsuccessful logins, an increasing delay can be inserted between each successive prompt. Implementing such delays in a network environment requires maintaining a record of failed login attempts, so that the delay cannot be circumvented by an attacker who merely disconnects from the target machine and reconnects.

AIX version 4 can be configured for increased delays at successive login prompts by editing the logindelay variable in the file /etc/security/login.cfg . AIX also supports automatic locking of terminals with automatic reenablement after some time with the logindisable and loginreenable attributes in the same file.

The Linux operating system gives the user 10 chances to log in, with an increasing delay after each attempt. This achieves essentially the same goal as a lockout (preventing someone from trying lots of passwords within a short amount of time), but it limits denial of service attacks as well.