LOGIN PROCESS DESCRIPTION:
1. getty:
The file /etc/inittab contains possible ports for login (i.e. console). When init runs, a getty process is started for each port listed in that file. The process "getty" provides a login prompt on the terminal attached to that port. The actual message displayed (also known as the herald) by the getty process is defined in /etc/security/login.cfg (i.e. console login and password...). Once this is displayed getty process waits for a user to make a login attempt.
--------------
2. login:
First user name is entered. The login program checks /etc/passwd and /etc/security/passwd to see if a password is required. If a password is required or the user name doesn't match a valid name, the Password: prompt is displayed.
--------------
3. invalid:
If an invalid user name was given or the password is incorrect an entry is made in /etc/security/failedlogin.
root@bb_lpar: / # who /etc/security/failedlogin
root vty0 Jun 08 12:50 <--username was valid, but password was incorrect
UNKNOWN_ vty0 Jun 08 13:20 <--invalid username
If the user name is valid, but the password is incorrect, the number of failed attempts are tracked in /etc/security/lastlog.
root@bb_lpar: / # cat /etc/security/lastlog
root:
time_last_login = 1339152601
tty_last_login = /dev/pts/0
host_last_login = server.domain.com
unsuccessful_login_count = 2 <--this shows the number of failed login attemts of a user
(or you can check that with command "lsuser")
--------------
4. valid:
If a user name and password is correct, the usw stanza in /etc/security/login.cfg is checked. This stanza sets the maximum number of concurrent logins in the systemt. If that number is exceeded, the login is denied.
root@bb_lpar: /etc/ssh # cat /etc/security/login.cfg
usw:
shells = /bin/sh,/bin/bsh,/bin/csh...
maxlogins = 32767 <--this shows maximum concurrent logins on the system
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
--------------
5. setup environment:
If everything is successful, then the user's environment is set using:
/etc/environment <--base environment settings (PATH, TZ, LANG...)
/etc/security/environ <--defines the environment attributes for users (it is not used too much by users)
/etc/security/limits <--defines process resource limits for users (fsize, rss, nofiles...)
/etc/security/user <--contains the most important settings, outside of the basics in /etc/passwd(umask, expires, rlogin...)
--------------
6. /etc/motd:
The login program sets the current directory to the user's HOME directory and displays the content of /etc/motd , date of the last successful login, and the number of unsuccessful login attempts since the last successful login.
(if .hushlogin file is found in the HOME directory these infos will not be displayed)
--------------
7. shell:
Finally, control is passed to the login shell (as defined in /etc/passwd) which will read /etc/environment and run /etc/profile and $HOME/.profile and $HOME/.kshrc (when using Korn shell).
--------------
When a user logs out, the shell terminates and a new getty process is spawned for that port.
--------------
Files used for user/environment customization (in login sequence):
1. /etc/environment <--contains variables specifying the basic environment for all processes ( PATH, TZ, LANG...)
2. /etc/profile <-- sets other system-wide default variables (TERM...)
3. $HOME/.profile <-- lets you customize your individual working environment (PATH, ENV, PS1...)
4. $HOME/.kshrc <--if it is used, user can customize his personal Korn shell environment (set -o vi, alias...)
--------------
USER LOGIN RELATED FILES
/etc/motd contains the message to be displayed every time a user logs in to the system.
/etc/utmp contains the record of users logged into the system. (who /etc/utmp)
/var/adm/wtmp records the logins to the system. (who /var/adm/wtmp)
/var/adm/sulog records information about su - username
/etc/environment sets base environment variables for all processes (PATH, TZ, LANG...) (don't put commands there, only root)
/etc/profile specifies additional environment settings for all users. (TERM...) (only root)
/etc/security/login.cfg contains configuration information for login and user authentication.
/etc/security/lastlog contains the last login attributes for users
/etc/security/failedlogin records all failed login attempts. (who /etc/security/failedlogin)
/etc/security/environ defines the environment attributes for users (it is not used too much by users)
/etc/security/limits defines process resource limits for users (fsize, rss, nofiles...)
/etc/security/user contains the most important settings, outside of the basics in /etc/passwd(umask, expires, rlogin...)
$HOME/.profile specifies user specific settings (user can overwrite settings from /etc/environment and /etc/profile)
($HOME/profile contains ENV=$HOME/.kshrc)
$HOME/.kshrc user can customize his Korn shell environment (set -o vi, alias...) (it will be run when opening new shell)
--------------
unsuccessful login count reset:
If a user's unsuccessful login count reaches a max value (loginretries=<value>), the user is not enabled to login into the system.
3004-303 There have been too many unsuccessful login attempts; please see
the system administrator.
1. check unsuccessful login count:
root@bb_lpar: / # lsuser -f bb
loginretries=3 <--shows max failed login retries, it is contained in /etc/security/user
pwdwarntime=0
account_locked=false
unsuccessful_login_count=5 <--it is higher than the max value
2. reset the login count:
root@bb_lpar: / # chuser unsuccessful_login_count=0 <user> <--it will reset to 0 the number of unsuccessful login count
--------------
locked account reset:
It is possible, that an administrator disables a user to use the system temporary by locking it account.
3004-301 Your account has been locked; please see the system administrator.
1. check user account setting:
root@bb_lpar: / # lsuser -f bb
account_locked=true <--it will show if account is locked
minage=0
maxage=0
2. unlock the account:
root@bb_lpar: / # chuser account_locked=false bb <--it will remove lock from the account
--------------
user max concurrent logins are too high
Maximum concurrent sessions of a user can be limited in /etc/security/user, by maxulogs entry.
If it is not limited, in the file there are no maxulogs entry and lsuser won't show anything, it can be checked only if it is set to a value.
Maximum number of login sessions exceeded for user <user>
1. check maxulogs entry of the user
root@bb_lpar: / # lsuser -f bb
pwdchecks=
dictionlist=
maxulogs=3 <--it will show maximum concurrent allowed login sessions of a user
(this vallue can be checked in /etc/security/user as well)
2. change to a higher value (0 means unlimited)
root@bb_lpar: / # chuser maxulogs=0 <user> <--it will change to unlimited
25 comments:
is it possible to restrict the number of users can login to an aix server concurrently??? how to check & change?
Hi, in /etc/security/login.cfg there is an attribute: maxlogins
"maxlogins: Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login attempts."
Hope this helps,
Balazs
Hi Aix, Could you please explain about /etc/security/login.cfg and /etc/inittab processes,means how the process will getting to login.cfg to inittab
Thanks
Abbas
How do I find, who accessed my AIX system using sftp connection?
Hi,
You can use "last -X" to get the detail of users and the sessions they used e.g ftp, and output will be like below:
root ftp 10.0.0.0 Sep 25 14:55 - 14:56 (00:01)
Hi,
we are testing something on the application (AIX OS) by putting some load of 300 virtual users. I would like to know, is there any limit on number of user sessions active on AIX at a time ?
i believe we've value maxlogins = 32767 in /etc/security/login.cfg.
so am thinking that, there is no limit (32767) on user sessions. is this right ?
That's the total logins, but you may want to limit max logins for a concrete user by modifying it's maxulogs user propertie.
what are the files will be updated when we hit mkuser command ..any idea
Hello, Is it possible user get account expire alert. While login to the server.
HI Belaz
I configure /etc/security/user file , I put maxge =13 (weeks) but I wanted to exempt root from that, so under too I put maxage=0 , now whenever I try to ssh to root , is it fine, But whenever I try to ftp or telnet, it says password expired? can you help me get a clue on that, Thank you so much again and again for the blogs !!
Probably the password of your root user is already expired, just when you use ssh it authenticates with your ssh key, so you are not asked for a password only when you try ftp.
Thank you for the reply,I am trying to understand that if I put default policy as maxage=13 and I want root account to be exempt from that, so I put under root : maxage=0. So the root account will not expire,but it is still showing expired when I do ftp, but not when I do ssh or scp. Is that some sort of shell issue? does telnet /ftp use something different than ssh besides encryption? I tried in a test server, where I let the root account to be expired as well, it asked to change root password in the ssh too.But above issue got me confused.
Never mind , I found out the reason, I am just adding this to the thread, so anyone else don't do this stupid thing like me, when you change something in the /etc/security/user , make sure there is gap between two users' entry. for example I had root maxage=0 but I also system default user daemon entry, very close to the root user , that cause the root user to be tied with daemon and made it expired .daemon: admin = true; expires = 0101000070. These applies all the users, if you don't put space between two users when you make changes to the /etc/security/user, you will screwed up things. Hopefully no one will be stupid like me.
Thanks for the description... good to keep this in mind!
hi aix
1.a user can be added into how many groups?
2.how many users and groups can be created? (any limits)
plz help me...
a user can participate into max of 32 groups
Thanks I was looking for this info!!
I am facing a situation where when there are lesser users, i am able to login to the AIX server. If the number of users increase - the login prompt is getting delayed. Sometimes even timeout occurs. This is after the upgrade to AIX 7.1 TL 4. Can someone suggest a way to overcome this situation?
Hello all,
What about when we are using LDAP for authentication? Which files than are used for the login process, not anymore /etc/passwd? Currently I'm using pbis-open, but I'm facing the issue: "Failed password for invalid user".
on 32-bit platforms you can create up to almost 4.3 billion users. On 64-bit platforms you can have more than 16e18 different user IDs.
However, other resources may become exhausted before you reach this limit, e.g. disk space. If you create a home directory for each user then even with just 1MB of space for each user you need over 4PBs of storage. Also, large number of users leaving processes running in the background, scheduling cron jobs, opening ftp and/or ssh sessions can create a severe burden on the system
thanks for your valuable reply :)
what is the defult username & password for the telnet
check /etc/security/user , section default
default:
SYSTEM = "LDAP"
registry = LDAP
and command for example (add -R LDAP):
mkuser -R LDAP pgrp=staff id=123 SYSTEM=LDAP registry=LDAP user123
passwd -R LDAP
lsuser -R LDAP ALL
.
.
Hi Elena, Have you resolved this issue?
How to check when my aix password will expires ?
Post a Comment