ttys - Terminal control database file (Enhanced Security)
Notes
The secure terminal database file, /etc/securettys, controls
root logins for all security levels. The file is
described in the securettys(4) reference page.
By default, the enhanced security terminal control information
is stored in database format (ttys.db). The information
was formerly stored in the ttys file and is converted
to database format in an update installation. The
convauth utility converts an existing ttys file to
database format.
The enhanced security terminal control database (ttys.db)
contains an entry for each terminal or X displayname that
can be used for logging in. It supports wildcarding of the
entire terminal name or displayname only. Authentication
programs use information in the terminal control database
to determine if a login is permitted on the specified terminal.
Information from the device assignment database
(/etc/auth/system/devassign) can also affect terminal
login permissions. Successful and unsuccessful login
attempts on the terminal are optionally recorded in the
terminal control database, and the information can be used
to disable terminal logins when breakin attempts are suspected.
The /usr/tcb/bin/dxdevices GUI provides a way to create
terminal control database entries and to alter the system
default values for the fields. The edauth utility can also
be used to display and modify terminal control database
entries.
A terminal control database entry consists of keyword
field identifiers and values for those fields. If a necessary
value is not specified in an entry, a default value
for the field is supplied from the system default file
(/etc/auth/system/default). For more information on the
field format, see authcap(4).
The following keyword field identifiers are supported:
This field defines the terminal device name for the entry.
The system expects that terminal devices are in the /dev
directory and therefore this prefix should not be specified.
If the terminal entry describes the /dev/tty1
device, the t_devname field should contain tty1. This
field is ignored if it is set in a template or in the
default database. This field contains the user ID of the
last user who successfully logged in using the terminal
device. This field is ignored if it is set in a template
or in the default database. This field is a time_t value
that records the last successful login time to the terminal
device. This field is ignored if it is set in a template
or in the default database. This field contains the
user ID of the last user who unsuccessfully attempted to
log in using the terminal device. This field is ignored if
it is set in a template or in the default database. This
field is a time_t value that records the last unsuccessful
login time to the terminal device. This field is ignored
if it is set in a template or in the default database.
This field contains the user ID of the user who successfully
logged in before the user identified in the t_uid
field. This represents the UID of the previous login session.
This field is ignored if it is set in a template or
in the default database. This field is a time_t value
that contains the system time of last logout associated
with this terminal device. This value marks the end of the
previous login session associated with the user identified
by t_prevuid. This field records the number of consecutive
unsuccessful login attempts to the terminal device.
This field is ignored if it is set in a template or in the
default database. This field specifies the maximum number
of consecutive unsuccessful login attempts permitted using
the terminal before the terminal is locked. Once the terminal
is locked, it must be unlocked by an authorized
administrator. This field is a time_t value that identifies
the login delay enforced by authentication programs
between unsuccessful login attempts. This field is
designed to slow the rate at which penetration attempts on
a terminal device can occur. This field indicates whether
the terminal device has been administratively locked. This
field is manipulated by authorized administrators only.
This field specifies the time interval in seconds after
t_unsuctime to wait before ignoring t_failures. Zero means
never ignore t_failures. This field specifies the login
time-out value in seconds. If a login attempt is initiated
by entering a user name at the login prompt but successful
authentication is not completed within the time-out interval
specified, the login attempt is aborted. This field
indicates that the entry is an X window display managed by
xdm, rather than a terminal device. This field is ignored
if it is set in a template or in the default database.
The following example shows a typical terminal control
database entry:
console:t_devname=console:
:t_uid=jdoe:t_logtime#675430072:
:t_unsucuid=jdoe:t_unsuctime#673610809:
:t_prevuid=root:t_prevtime#671376915:
:chkent:
This entry is for the system console device, /dev/console.
The most recent successful login session was for the user
jdoe. The most recent unsuccessful login attempt was also
by user jdoe. Before the most recent successful login session,
the root account was used to log in to the console.
The entry records the system time for the current successful
login, the end of the previous successful login session,
and the time of the most recent unsuccessful login
attempt.
Specifies the pathname of the database.
Commands: login(1)
Functions: getprtcent(3)
Files: authcap(4), default(4), securettys(4)
ttys(4)
[ Back ] |
