Define Restricted Logins


About this document
About the procedure
Steps to implement Example I - Restrict root login
How to implement Example II - Limit user logins

About this document

This document describes two examples of user-defined authentication methods. If these are run as a primary authentication method, they will restrict logins by the root user to a single device while still permitting su access to the root account from another port, or limit the number of concurrent logins allowed per user. This document applies to AIX Version 3.2 and Version 4.x.

About the procedure

NOTE: The authentication methods defined in this document are provided only as examples. Modification of the included software program may be necessary for it to work in a particular environment.

User authentication is used to control access to the system. There are two levels of user authentication in AIX: primary and secondary. A primary authentication method will prevent login access while a secondary method is purely informational and will NOT restrict access.

It is common practice to install site-specific user verification tests as primary and/or secondary authentication methods. Access by login, su, rlogin, telnet are subject to defined primary and secondary authentication methods. rsh, rexec, and ftp are not subject to these methods.

The methods described in this document, if used as primary authentication will restrict root logins to a specific device, or limit the number of concurrent logins allowed on a per user basis.

Steps to implement Example I - Restrict root login

The following steps describe how to implement the "console-only" authentication as a primary authentication method. (It must run as a primary authentication method to enforce the restriction.) The steps describe how to make the authentication method known to AIX, modify the root user's profile to invoke the validation routine and compile the "console-only" code.

The module, named console-only.c, determines if a user is signing onto the specified device (the default is the system console) or executing the su command. If either of these conditions are true, the routine returns a status value of zero. Otherwise, it returns a status value of one. If a status value of zero is returned, the login is validated and the user's initial program is executed. Invoke the validation routine and compile the console-only code.

  1. Edit the /etc/security/login.cfg file and add the following stanza to the file.
             program = /etc/security/console-only 

    This will make the method known to AIX.

    NOTE: The program console-only.c optionally takes one parameter to indicate a particular device to which root access is restricted. To specify a device other than the console, for instance tty0, modify the CONSOLE stanza as follows:

             program = "/etc/security/console-only /dev/tty0" 
  2. Now, change the root user's attributes to invoke the new authentication method when the root user attempts to log in. You can do this either from the command line or from SMIT:
    • From the command line, run the following: (This assumes that SYSTEM was the previous setting for auth1.)
          chuser auth1=SYSTEM,CONSOLE root 

      NOTE: There cannot be any spaces in the comma separated list of primary authentication methods.

    • To use SMIT, enter smit chuser. Then enter root for the user name. In the field PRIMARY authentication method, add CONSOLE to the comma separated list of primary authentication methods. For example, the field may now read SYSTEM,CONSOLE.

      NOTE: There cannot be any spaces in the comma separated list of primary authentication methods. Press Enter to commit the change.

  3. Save the text below the console-only.c heading as console-only.c, and compile it with the following command:
         cc -o /etc/security/console-only console-only.c 

    NOTE: Page headers and footers may appear in the code. They should be removed before the code is used.

  4. Verify that the authentication method is working properly by attempting to login, su, rlogin, and telnet as the root user. If the user-defined authentication method is working properly, root logins will be allowed only on the console or the defined terminal.


    /*Console-only Root Login Authentication Method 
     *  Written By: John F. Haugh,II   Date: 18 March 93 */ 
     #include <sys/types.h> 
     #include <utmp.h> 
     #include <stdio.h> 
     #define CONSOLE "/dev/hft/0" 

NOTE: For AIX Version 4 replace the preceding line with the following line:

 define CONSOLE "/dev/lft0" 
/*console-only - TTY Port Access Control Authentication Method 
*  console-only permits root logins on the console device 
*  (defined with the CONSOLE macro above).  It allows su's 
   from any device.  */ 
main (int argc, char **argv) 
        char     *user; 
        char     *console; 
        char     *tty, *ttyname (); 
        struct   utmp   utmp, *putmp; 
        /* Usage is "console-only <user>".  This would typically be 
         * only for root, but we allow other users to use this method. */ 
         if (argc < 2) 
                 exit (1); 
         user = argv[argc - 1]; 
         /* If there are 3 arguments, #2 is the name of the device.  */ 
         if (argc == 2) 
                 console = CONSOLE; 
                 console = argv[1]; 
         /* Get the TTY name.    */ 
         if ((tty = ttyname (0)) == (char *) 0) 
                 exit (1); 
         /* Clear the utmp structure so I can fetch this line's utmp 
          * record.      */ 
          memset ((void *) &utmp, 0, sizeof utmp); 
          strncpy (utmp.ut_line, tty + 5, sizeof utmp.ut_line); 
          setutent (); 
          putmp = getutline (&utmp); 
          /* See if my PPID is the same as the PID in the utmp record. 
           * That would mean that login is calling me.  This is what 
           * distinguishes between "login" and "su".     */ 
          if (putmp == (struct utmp *) 0 || putmp->ut_pid != getppid ()) 
                  exit (0); 
          exit ((strcmp (console, tty) == 0) ? 0:1); 

How to implement Example II - Limit user logins

In order to limit the number of logins per user, you will have to create a script and update two files: /etc/security/login.cfg and /etc/security/user.

  1. Using an editor, create a script such as the following:
         /usr/bin/Block_user  *the name isn't important, just be consistent 
         NUM=`who | grep $USER |cut -c1-8 | wc -l` 
         #The above ' is not a single quote but back quote (accent) 
         if [[ $NUM -lt 1 ]] 
            exit 0 
            echo "permission denied ...$NUM is the limit of logins" 
            exit 1 

    Save this file and then change its permissions. Make sure this file is owned by root and does not have write permission for group or other.

         chmod 755 /usr/bin/Block_user      *make script executable 
  2. Edit /etc/security/login.cfg

    Add the following lines:

        * auth_method: 
        *     program = 
    Change the lines to look as follows:
         program = /usr/bin/Block_user 
  3. Edit /etc/security/user
    admin = false 
    login = true 
    su = true 
    daemon = true 
    rlogin = true 
    sugroups = ALL 
    ttys = ALL 
    auth1 = SYSTEM 
    auth2 = NONE 
    tpath = nosak 
    umask = 022 
    expires = 0 
    root:                 admin = true 
    user1:                admin = false 

    Change the auth1 line to:

         default:                 auth1 = SYSTEM,auth_method 

    This change will affect all users logging into the system.

    NOTE: root should be an exception to this default. For example, root would read:

         root:                         auth1 = SYSTEM        
         user1:                   auth1 = SYSTEM,auth_method 
         user2:                   auth1 = SYSTEM,auth_method 

    The above changes to the individual user stanzas would limit user1 and user2 to the login restrictions defined in the script above.

[ Doc Ref: 90605221514612     Publish Date: Nov. 28, 2000     4FAX Ref: 2737 ]