System Administration Guide
Chapter 5, Maintaining system security

Controlling system access

Controlling system access

One important aspect of operation on a trusted system is preventing unauthorized access. The available restriction mechanisms fall into three categories, all of which can be customized:

You can also generate activity reports on each of these restrictions, such as the login activity for a terminal or group of terminals, or report on user accounts with passwords that are about to expire. See ``Creating account and login activity reports''. 

Password restrictions

The Department of Defense Password Management Guideline (also known as the Green Book) was used as a model for password restrictions. Users are subject to much stricter password checking than traditional UNIX systems. The system administrator can place restrictions on password selection and expiration.

Selection restrictions control whether users can pick their own passwords or have the system generate passwords for them. When chosen, the password can be subjected to simple or extensive checking for obviousness, again at the option of the administrator. These controls are described in ``Controlling password selection''.

Password expiration restrictions determine how and when passwords expire -- see ``Controlling password expiration''. The lifetime of a password has three stages: 

If users are not allowed to change passwords, new passwords must be assigned. Users must notify the administrator when their account is locked. When a user logs in, the prwarn(C) utility warns them of impending expiration. There is no notification mechanism for the administrator other than use of regular reports on impending expirations. 

A popular tactic among users on systems where periodic password changes are enforced is to change their password once, thus satisfying the requirement, then simply change their password back again to the one they used before. To prevent a user from doing this, the authentication administrator can also set a minimum change time on a password, before which a user may not change passwords. All of these parameters can be changed system-wide (System Defaults database) or per-user (Protected Password database).

By default, the user account initialization files (.cshrc, .profile, and so forth) call the prwarn(C) utility to warn users of impending password expiration and prevent their accounts from being locked. Expirations can be an annoying occurrence if a system administrator is unavailable. If your system is not attended by administrators on a daily basis, you might want to extend the password lifetime parameter accordingly. 

Terminal use restrictions

Terminals are gateways to the system. In addition to the use of account passwords, terminals can be protected from attempts to penetrate the system. You can define the maximum number of failed login attempts, high numbers of which are typically associated with attempts to crack an account password. Terminals that exceed the maximum permissible number of attempts will be locked and you, the accounts administrator, must unlock them. In addition, you can specify an interval that must elapse between login attempts, which can further thwart attempts to break a password. To change or examine terminal restrictions, refer to ``Setting login restrictions on terminals''. 

Login restrictions

As with terminals, user accounts have parameters associated with the number of login attempts and retry intervals. To change or examine login restrictions, refer to ``Setting login restrictions on accounts''.