default - System default database file (Enhanced Security)
The system default database is unique in that it defines
system-wide global values. It is designed to provide values
for users and devices at a global level so that an
administrator is not required to replicate values in user
or device databases when they are all the same. In addition
to being easier to specify global values, it is also
much easier to make a global system change if necessary.
The system default database contains four types of values:
System-wide values that do not have corresponding specifications
in any other system database. If a system-wide
value is not specified in the default database, then it is
undefined. User values, which are typically specified in
a protected password database file. Terminal control values,
which are typically specified in the terminal control,
database file. Device assignment values, which are
typically specified in the device assignment database
file.
The field names for each value type begin with an identifying
prefix. The following list of prefixes also lists
the reference page that explains the associated database:
Defaults database field. (this reference page) Terminal
control database field. (ttys(4)) Protected password
database field. (prpasswd(4)) Device assignment database
field. (devassign(4))
System default parameters can be specified for fields
found in the protected password, terminal control, and
device assignment databases. When a specific entry is
retrieved from one of these databases, a structure called
ufld that contains all of the explicitly specified values
is provided to the caller. A second structure, called
sfld, is also provided; it defines those values supplied
from the system default database.
Each of these structures has a corresponding flag structure
called uflg and sflg respectively that indicates
which fields in each structure have been specified and are
valid for use. Programs honor the user-specific or devicespecific
value if one is provided. Otherwise, programs use
the system default value if one has been specified. If
neither value is specified, the program may supply a reasonable
default value or abort.
The following fields are defined only in the defaults
database:
This field contains the value, measured in seconds, used
to control whether a password expiration warning is given
at login time. If the password expiration time contained
in the user's protected password database file falls
within this time interval (measured from the current system
time), a warning is given. This field is a string
that specifies the full path name of the program or script
to call for site-specific security policy conformance
decisions. This field contains the name which is set by
default to the string default. This flag field is not
currently used. This flag is for MLS+ compatibility only.
It's ignored in Tru64 UNIX Version 5.1B. This field is an
ASCII identifier of the security class supported by the
system and is used for informational purposes only. The
choices include a1, b1, b2, b3, c1, c2, and d. A boolean
expression indicating that the password set by the administrator
should be set to expire immediately. This flag
controls whether auto-migration requires a password change
at the time it creates the account, or whether it assumes
the password was set at the present time. It also controls
the forced-expiration-required action of dxchpwd
when an administrator changes a user's password. A
boolean expression indicating that the ttys database is
not updated during logins. This flag (if set in the system
defaults database) causes login attempts (successful
or not) to skip updating the ttys database. This speeds up
logins at the expense of not doing break-in evasion. A
boolean expression that causes a new extended profile to
be created if no extended profile exists, but there is a
valid base profile. If this flag (in the system defaults
database) is set, and a user attempts to log in with no
extended profile, but the user does have a legitimate BSDstyle
profile, an extended profile is created for that
user (all defaults, except where specific information is
required, like username and UID). A numeric value is seconds
indicating how far into the future a user-initiated
vacation can be scheduled. If either d_max_vacation_future
or d_max_vacation_duration is zero, no user-initiated use
of the vacationing feature is possible. This field (in
the system defaults database) are zero (implicitly) as
shipped. A numeric value is seconds indicating how long a
user-initiated scheduled vacation can last. If either
d_max_vacation_future or d_max_vacation_duration is zero,
no user-initiated use of the vacationing feature is possible.
This field (in the system defaults database) are
zero (implicitly) as shipped. A boolean expression that
SIA vouching is accepted from other authentication mechanisms.
If this field is set (in the system defaults
database), then other C2 mechanisms will not demand a
password of their own, if another preceding SIA mechanism
has already validated the user. (This is in support of
mixing DCE+C2.) This does mean that the C2 password controls
do not mean much (if anything) when DCE is up and in
use, but is under admin control, and defaults off. It can
also be desirable to set this if using S/Key or smartcard
support.
The following example is a typical system default
database:
default:\
:d_name=default:\
:d_secclass=c2:\
:d_boot_authenticate@:\
:d_audit_enable@:\
:d_pw_expire_warning#3456000:\
:u_pwd=*:\
:u_minchg#0:u_maxlen#10:u_exp#15724800:u_life#31449600:\
:u_pickpw:u_genpwd:u_restrict@:u_nullpw@:\
:u_genchars:u_genletters:\
:u_maxtries#5:u_lock:\
:t_logdelay#2:t_maxtries#10:\
:chkent:
Specifies the pathname of the file.
Functions: getprdfent(3)
Files: authcap(4), devassign(4), prpasswd(4), ttys(4)
default(4)
[ Back ] |
