Login cancellation question Post: 302967160

Sponsored Content

Top Forums UNIX for Beginners Questions & Answers Login cancellation question Post 302967160 by vbe on Saturday 20th of February 2016 04:43:52 AM

02-20-2016

Moderator

Most UNIX have root not locked unless using RBAC perhaps but accessible to only very limited devices where ordinary people have no access...
Thats is why servers are in white? rooms where security is high and only the sysadms have access...

To answer

Quote:

would the system and its contents be inaccessible?? This is pure curiosity.

The only system I found with root disabled was a lab machine configured with another sysadm of my team, we were trying all figures to go further in security... and so using RBAC we disabled root account... Fine till we forgot the passwords... And realised we were doomed, though my friend and collegue is highly specialized in solaris ( as I had no small HPUX to use at the time ) this was a sparc/solaris 10, we just could not find a way to get back at the system, OK we may did more than just RBAC as we were trying to highly secure... So on one hand we achieved what we wanted, on the other we saw the silly situation we were in for not remembering the passwords...
Morality?
I am sure all serious sysadm configures his boxes with a backdoor only it may not be at a user level, and the minimum security to my eyes is to not let direct connection from the net unless dedicated lan to root even via ssh, using su/sudo only and having root only accessible from console which should be a real dedicated console (/dev/console...) on serial port or dedicated lan for lan consoles

vbe

View Public Profile for vbe

Find all posts by vbe

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

login question

Why, when you type in an obviously invalid login, does UNIX give you an opportunity to type in a password? Is it a security thing?

2. UNIX for Dummies Questions & Answers

Root login question

Hi all I am administering Linux boxes (running rehat linux 7.3 and 8.0). The other day I tried to ssh from 1 linux box to the other. I was root on the client box. Surprisingly, I could login as root into the host after giving the password!! I am unable to get root login from a SSH client...

3. UNIX for Dummies Questions & Answers

user login script question

hi all, what file(s) needs to be changed and in what way in order to do the following: when user A logs onto freebsd 4.8 automaticaly he needs to start up a script a made that executes: sets ltp0 in polling mode, executes tn5250 keyboard mapping starts tn5250 with the correct parameters. ...

4. Shell Programming and Scripting

.proflie .login question

I have been searching how to do this and haven't been able to make it work. When I login to our Unix machine running SunOS 5.8 it automatically starts in csh but I want bash. I don't have access to chsh or password commands so I guess I need to change .profile or .login or .cshrc? Which one and...

5. Solaris

Solaris 10 login question, seek guru's help

I post this question because it seems that no many people will knows about this. I hope to meet some real guru to help me out. Here is the question: I isntalled solaris 10 on Sun sparc 64 bit machine. I can login as root user through GUI or console. After I created an Oracle user, I only can...

6. UNIX for Advanced & Expert Users

Solaris login question, need guru's help

7. UNIX for Dummies Questions & Answers

Question on .profile login script

Hey everyone, I'am a little new here and experincing Unix for the first time. I was wondering if somone could help me with this question i'am a bit stuck on Looking at the content of .profile login script The .profile file is in your login directory. It is a startup script file...

8. Red Hat

Unable to login .Basic question

hi Guys , I m completely new to this environment. I m working in linux gnu operating type. I have root user access to this machine and i have created a user named scott using useradd command then set its password using passwd command. Now my problem is i m not able to loggin using this new...

9. Shell Programming and Scripting

Question: Automatic launching of a CLI menu upon login (OpenBSD)

Hi all, I am OpenBSD newbie and currently need to manage some OpenBSD firewalls running pf. The OpenBSD version is 4.8 As the other sys admins are not so familiar with OpenBSD, so I have an idea across in my mind on how to minimize the root account usage and other unnecessary access and make...

10. Solaris

New User Login Exam Question

Hi Folks, I am studying for my 1z0-821 exam and I would like to clarify an answer to the following question : You have a ticket from a new user on the system, indicating that he cannot log in to his account. The information in the ticket gives you both the username and password. The ticket...

LEARN ABOUT CENTOS

pam_lastlog

PAM_LASTLOG(8)							 Linux-PAM Manual						    PAM_LASTLOG(8)

NAME

       pam_lastlog - PAM module to display date of last login and perform inactive account lock out

SYNOPSIS

       pam_lastlog.so [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>]

DESCRIPTION

       pam_lastlog is a PAM module to display a line of information about the last login of the user. In addition, the module maintains the
       /var/log/lastlog file.

       Some applications may perform this function themselves. In such cases, this module is not necessary.

       If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in. The
       check is not performed for the root account so the root is never locked out.

OPTIONS

       debug
	   Print debug information.

       silent
	   Don't inform the user about any previous login, just update the /var/log/lastlog file.

       never
	   If the /var/log/lastlog file does not contain any old entries for the user, indicate that the user has never previously logged in with
	   a welcome message.

       nodate
	   Don't display the date of the last login.

       noterm
	   Don't display the terminal name on which the last login was attempted.

       nohost
	   Don't indicate from which host the last login was attempted.

       nowtmp
	   Don't update the wtmp entry.

       noupdate
	   Don't update any file.

       showfailed
	   Display number of failed login attempts and the date of the last failed attempt from btmp. The date is not displayed when nodate is
	   specified.

       inactive=<days>
	   This option is specific for the auth or account phase. It specifies the number of days after the last login of the user when the user
	   will be locked out by the module. The default value is 90.

MODULE TYPES PROVIDED

       The auth and account module type allows to lock out users which did not login recently enough. The session module type is provided for
       displaying the information about the last login and/or updating the lastlog and wtmp files.

RETURN VALUES

       PAM_SUCCESS
	   Everything was successful.

       PAM_SERVICE_ERR
	   Internal service module error.

       PAM_USER_UNKNOWN
	   User not known.

       PAM_AUTH_ERR
	   User locked out in the auth or account phase due to inactivity.

       PAM_IGNORE
	   There was an error during reading the lastlog file in the auth or account phase and thus inactivity of the user cannot be determined.

EXAMPLES

       Add the following line to /etc/pam.d/login to display the last login time of an user:

	       session	required  pam_lastlog.so nowtmp

       To reject the user if he did not login during the previous 50 days the following line can be used:

	       auth  required  pam_lastlog.so inactive=50

FILES

       /var/log/lastlog
	   Lastlog logging file

SEE ALSO

       pam.conf(5), pam.d(5), pam(8)

AUTHOR

       pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.

       Inactive account lock out added by Toma Mraz <tm@t8m.info>.

Linux-PAM Manual						    09/19/2013							    PAM_LASTLOG(8)