USER - LOGIN

USER LOGIN PROCESS:




LOGIN PROCESS DESCRIPTION:

1. getty:
The file /etc/inittab contains possible ports for login (i.e. console). When init runs, a getty process is started for each port listed in that file. The process "getty" provides a login prompt on the terminal attached to that port. The actual message displayed (also known as the herald) by the getty process is defined in /etc/security/login.cfg (i.e. console login and password...). Once this is displayed getty process waits for a user to make a login attempt.

--------------

2. login:
First user name is entered. The login program checks /etc/passwd and /etc/security/passwd to see if a password is required. If a password is required or the user name doesn't match a valid name, the Password: prompt is displayed.

--------------

3. invalid:
If an invalid user name was given or the password is incorrect an entry is made in /etc/security/failedlogin.

    root@bb_lpar: / # who /etc/security/failedlogin
    root        vty0        Jun 08 12:50        <--username was valid, but password was incorrect
    UNKNOWN_    vty0        Jun 08 13:20        <--invalid username


If the user name is valid, but the password is incorrect, the number of failed attempts are tracked in /etc/security/lastlog.

    root@bb_lpar: / # cat /etc/security/lastlog
    root:
            time_last_login = 1339152601
            tty_last_login = /dev/pts/0
            host_last_login = server.domain.com
            unsuccessful_login_count = 2       <--this shows the number of failed login attemts of a user

    (or you can check that with command "lsuser")

--------------

4. valid:
If a user name and password is correct, the usw stanza in /etc/security/login.cfg is checked. This stanza sets the maximum number of concurrent logins in the systemt. If that number is exceeded, the login is denied.


root@bb_lpar: /etc/ssh # cat /etc/security/login.cfg
usw:
        shells = /bin/sh,/bin/bsh,/bin/csh...
        maxlogins = 32767                      <--this shows maximum concurrent logins on the system
        logintimeout = 60
        maxroles = 8
        auth_type = STD_AUTH

--------------

5. setup environment:
If everything is successful, then the user's environment is set using:

/etc/environment                 <--base environment settings (PATH, TZ, LANG...)
/etc/security/environ            <--defines the environment attributes for users (it is not used too much by users)
/etc/security/limits             <--defines process resource limits for users (fsize, rss, nofiles...)
/etc/security/user               <--contains the most important settings, outside of the basics in /etc/passwd(umask, expires, rlogin...)

--------------

6. /etc/motd:
The login program sets the current directory to the user's HOME directory and displays the content of /etc/motd , date of the last successful login, and the number of unsuccessful login attempts since the last successful login.

(if .hushlogin file is found in the HOME directory these infos will not be displayed)

--------------

7. shell:
Finally, control is passed to the login shell (as defined in /etc/passwd) which will read /etc/environment and run /etc/profile and $HOME/.profile and $HOME/.kshrc (when using Korn shell).

--------------

When a user logs out, the shell terminates and a new getty process is spawned for that  port.

--------------

Files used for user/environment customization (in login sequence):

1. /etc/environment           <--contains variables specifying the basic environment for all processes ( PATH, TZ, LANG...)
2. /etc/profile               <-- sets other system-wide default variables (TERM...)
3. $HOME/.profile             <-- lets you customize your individual working environment (PATH, ENV, PS1...)
4. $HOME/.kshrc               <--if it is used, user can customize his personal Korn shell environment (set -o vi, alias...)

--------------

USER LOGIN RELATED FILES

/etc/motd                     contains the message to be displayed every time a user logs in to the system.
/etc/utmp                     contains the record of users logged into the system. (who /etc/utmp)
/var/adm/wtmp                 records the logins to the system. (who /var/adm/wtmp)
/var/adm/sulog                records information about su - username
/etc/environment              sets base environment variables for all processes (PATH, TZ, LANG...) (don't put commands there, only root)
/etc/profile                  specifies additional environment settings for all users. (TERM...) (only root)

/etc/security/login.cfg       contains configuration information for login and user authentication.
/etc/security/lastlog         contains the last login attributes for users
/etc/security/failedlogin     records all failed login attempts. (who /etc/security/failedlogin)
/etc/security/environ         defines the environment attributes for users (it is not used too much by users)
/etc/security/limits          defines process resource limits for users (fsize, rss, nofiles...)
/etc/security/user            contains the most important settings, outside of the basics in /etc/passwd(umask, expires, rlogin...)

$HOME/.profile                specifies user specific settings (user can overwrite settings from /etc/environment and /etc/profile)
                              ($HOME/profile contains ENV=$HOME/.kshrc)
$HOME/.kshrc                  user can customize his Korn shell environment (set -o vi, alias...) (it will be run when opening new shell)

--------------

unsuccessful login count reset:

If a user's unsuccessful login count reaches a max value (loginretries=<value>), the user is not enabled to login into the system.

3004-303 There have been too many unsuccessful login attempts; please see
        the system administrator.


1. check unsuccessful login count:
root@bb_lpar: / # lsuser -f bb
        loginretries=3                                        <--shows max failed login retries, it is contained in /etc/security/user
        pwdwarntime=0
        account_locked=false
        unsuccessful_login_count=5                            <--it is higher than the max value

2. reset the login count:

root@bb_lpar: / # chuser unsuccessful_login_count=0 <user>    <--it will reset to 0 the number of unsuccessful login count

--------------

locked account reset:

It is possible, that an administrator disables a user to use the system temporary by locking it account.

3004-301 Your account has been locked; please see the system administrator.

1. check user account setting:
root@bb_lpar: / # lsuser -f bb
        account_locked=true                                    <--it will show if account is locked
        minage=0
        maxage=0

2. unlock the account:

root@bb_lpar: / # chuser account_locked=false bb               <--it will remove lock from the account


--------------

user max concurrent logins are too high

Maximum concurrent sessions of a user can be limited in /etc/security/user, by maxulogs entry.
If it is not limited, in the file there are no maxulogs entry and lsuser won't show anything, it can be checked only if it is set to a value.

Maximum number of login sessions exceeded for user <user>

1. check maxulogs entry of the user
root@bb_lpar: / # lsuser -f bb
        pwdchecks=
        dictionlist=
        maxulogs=3                                             <--it will show maximum concurrent allowed login sessions of a user
                                                               (this vallue can be checked in /etc/security/user as well)

2. change to a higher value (0 means unlimited)

root@bb_lpar: / # chuser maxulogs=0 <user>                     <--it will change to unlimited



25 comments:

  1. is it possible to restrict the number of users can login to an aix server concurrently??? how to check & change?

    ReplyDelete
    Replies
    1. Hi, in /etc/security/login.cfg there is an attribute: maxlogins
      "maxlogins: Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login attempts."

      Hope this helps,
      Balazs

      Delete
  2. Hi Aix, Could you please explain about /etc/security/login.cfg and /etc/inittab processes,means how the process will getting to login.cfg to inittab

    Thanks

    Abbas

    ReplyDelete
  3. How do I find, who accessed my AIX system using sftp connection?

    ReplyDelete
  4. Hi,
    You can use "last -X" to get the detail of users and the sessions they used e.g ftp, and output will be like below:
    root ftp 10.0.0.0 Sep 25 14:55 - 14:56 (00:01)

    ReplyDelete
  5. Hi,
    we are testing something on the application (AIX OS) by putting some load of 300 virtual users. I would like to know, is there any limit on number of user sessions active on AIX at a time ?

    i believe we've value maxlogins = 32767 in /etc/security/login.cfg.
    so am thinking that, there is no limit (32767) on user sessions. is this right ?

    ReplyDelete
  6. That's the total logins, but you may want to limit max logins for a concrete user by modifying it's maxulogs user propertie.

    ReplyDelete
  7. what are the files will be updated when we hit mkuser command ..any idea

    ReplyDelete
  8. Hello, Is it possible user get account expire alert. While login to the server.

    ReplyDelete
  9. HI Belaz
    I configure /etc/security/user file , I put maxge =13 (weeks) but I wanted to exempt root from that, so under too I put maxage=0 , now whenever I try to ssh to root , is it fine, But whenever I try to ftp or telnet, it says password expired? can you help me get a clue on that, Thank you so much again and again for the blogs !!

    ReplyDelete
    Replies
    1. Probably the password of your root user is already expired, just when you use ssh it authenticates with your ssh key, so you are not asked for a password only when you try ftp.

      Delete
    2. Thank you for the reply,I am trying to understand that if I put default policy as maxage=13 and I want root account to be exempt from that, so I put under root : maxage=0. So the root account will not expire,but it is still showing expired when I do ftp, but not when I do ssh or scp. Is that some sort of shell issue? does telnet /ftp use something different than ssh besides encryption? I tried in a test server, where I let the root account to be expired as well, it asked to change root password in the ssh too.But above issue got me confused.

      Delete
    3. Never mind , I found out the reason, I am just adding this to the thread, so anyone else don't do this stupid thing like me, when you change something in the /etc/security/user , make sure there is gap between two users' entry. for example I had root maxage=0 but I also system default user daemon entry, very close to the root user , that cause the root user to be tied with daemon and made it expired .daemon: admin = true; expires = 0101000070. These applies all the users, if you don't put space between two users when you make changes to the /etc/security/user, you will screwed up things. Hopefully no one will be stupid like me.

      Delete
    4. Thanks for the description... good to keep this in mind!

      Delete
  10. hi aix

    1.a user can be added into how many groups?
    2.how many users and groups can be created? (any limits)
    plz help me...

    ReplyDelete
    Replies
    1. a user can participate into max of 32 groups

      Delete
    2. on 32-bit platforms you can create up to almost 4.3 billion users. On 64-bit platforms you can have more than 16e18 different user IDs.

      However, other resources may become exhausted before you reach this limit, e.g. disk space. If you create a home directory for each user then even with just 1MB of space for each user you need over 4PBs of storage. Also, large number of users leaving processes running in the background, scheduling cron jobs, opening ftp and/or ssh sessions can create a severe burden on the system

      Delete
    3. thanks for your valuable reply :)

      Delete
  11. I am facing a situation where when there are lesser users, i am able to login to the AIX server. If the number of users increase - the login prompt is getting delayed. Sometimes even timeout occurs. This is after the upgrade to AIX 7.1 TL 4. Can someone suggest a way to overcome this situation?

    ReplyDelete
  12. Hello all,

    What about when we are using LDAP for authentication? Which files than are used for the login process, not anymore /etc/passwd? Currently I'm using pbis-open, but I'm facing the issue: "Failed password for invalid user".

    ReplyDelete
    Replies
    1. check /etc/security/user , section default

      default:
      SYSTEM = "LDAP"
      registry = LDAP

      and command for example (add -R LDAP):

      mkuser -R LDAP pgrp=staff id=123 SYSTEM=LDAP registry=LDAP user123
      passwd -R LDAP
      lsuser -R LDAP ALL
      .
      .

      Delete
    2. Hi Elena, Have you resolved this issue?

      Delete
  13. what is the defult username & password for the telnet

    ReplyDelete
  14. How to check when my aix password will expires ?

    ReplyDelete