login.cfg File

Purpose

Contains configuration information for login and user authentication.

Description

The /etc/security/login.cfg file is an ASCII file that contains stanzas of configuration information for login and user authentication. Each stanza has a name, followed by a colon (:), that defines its purpose. Attributes are in the form Attribute=Value. Each attribute ends with a newline character, and each stanza ends with an additional newline character. For an example of a stanza, see the "Examples" section.

There are two types of stanzas:

Stanzas Definition
port Defines the login characteristics of ports.
user configuration Defines programs that change user attributes.

Port Stanzas

Port stanzas define the login characteristics of ports and are named with the full path name of the port. Each port should have its own separate stanza. Each stanza has the following attributes:

Attribute Definition
herald Defines the login message printed when the getty process opens the port. The default herald is the login prompt. The value is a character string.
herald2 Defines the login message printed after a failed login attempt. The default herald is the login prompt. The value is a character string.
logindelay Defines the delay factor (in seconds) between unsuccessful login attempts. The value is a decimal integer string. The default value is 0, indicating no delay between unsuccessful login attempts.
logindisable Defines the number of unsuccessful login attempts allowed before the port is locked. The value is a decimal integer string. The default value is 0, indicating that the port cannot lock as a result of unsuccessful login attempts.
logininterval Defines the time interval (in seconds) in which the specified unsuccessful login attempts must occur before the port is locked. The value is a decimal integer string. The default value is 0.
loginreenable Defines the time interval (in minutes) a port is unlocked after a system lock. The value is a decimal integer string. The default value is 0, indicating that the port is not automatically unlocked.
logintimes Specifies the times, days, or both, the user is allowed to access the system. The value is a comma-separated list of entries of the following form:
[!]:time-time
   -or-
[!]day[-day][:time-time]
   -or-
[!]date[-date][:time-time]

The day variable must be one digit between 0 - 6 that represents one of the days of the week. A 0 (zero) indicates Sunday and a 6 indicates Saturday.

The time variable is 24-hour military time (1700 is 5:00 p.m.). Leading zeroes are required. For example, you must enter 0800, not 800. The time variable must be four characters in length, and there must be a leading colon (:). An entry consisting of only a time specification applies to every day. The start hour of a time value must be less than the end hour.

The date variable is a four digit string in the form mmdd. mm represents the calendar month, with 00 indicating January and 11 indicating December. dd represents the day number. For example 0001 represents January 1. dd may be 00 to indicate the entire month, if the entry is not a range, or indicating the first or last day of the month depending on whether it appears as part of the start or end of a range. For example, 0000 indicates the entire month of January. 0500 indicates the entire month of June. 0311-0500 indicates April 11 through the last day of June.

Entries in this list specify times that a user is allowed or denied access to the system. Entries not preceded by an exclamation point (!) allow access and are called ALLOW entries. Entries prefixed with an exclamation point (!) deny access to the system and are called DENY entries. The ! operator applies to only one entry, not the whole restriction list. It must appear at the beginning of an entry.

pwdprompt Defines the message that is displayed at a password prompt. The message value is a character string. Format specifiers will not be interpreted. If the attribute is undefined, a default prompt from the message catalog will be used.
sak_enabled Defines whether the secure attention key (SAK) is enabled for the port. The SAK key is the Ctrl-X, Ctrl-R key sequence. Possible values for the sak_enabled attribute are:
true
SAK processing is enabled, so the key sequence establishes a trusted path for the port.
false
SAK processing is not enabled, so a trusted path cannot be established. This is the default value.

The sak_enabled stanza can also be modified to close a potential exposure that exists when tty login devices are writable by others; for example, when the tty mode is 0622. If the sak_enabled stanza is set to True, the tty mode is set to a more restrictive 0600 at login. If the sak_enabled stanza is set to False (or absent), the tty mode is set to 0622.

synonym Defines other path names for the terminal. This attribute revokes access to the port and is used only for trusted path processing. The path names should be device special files with the same major and minor number and should not include hard or symbolic links. The value is a list of comma-separated path names.

Synonyms are not associative. For example, if you specify synonym=/dev/tty0 in the stanza for the /dev/console path name, then the /dev/tty0 path name is a synonym for the /dev/console path name. However, the /dev/console path name is not a synonym for the /dev/tty0 path name unless you specify synonym=/dev/console in the stanza for the /dev/tty0 path name.

usernameecho Defines whether the user name is echoed on a port. Possible values for the usernameecho attribute are:
true
User name echo is enabled. The user name will be displayed. This is the default value.
false
User name echo is disabled. The user name will not be echoed at the login prompt and will be masked out of related messages that contain the user name.
minsl Defines the minimum sensitivity level (SL) assigned to this port.
Restriction: This attribute is valid only for Trusted AIX®. For more information about Trusted AIX, see Trusted AIX in AIX Version 7.1 Security.
The valid values are defined in the /etc/security/enc/LabelEncodings file for the system. You must define the value in quotation marks (" ") if it has white spaces. The minsl value is dominated by the maxsl value for the port.

To log in using this port, you must have an effective SL that dominates this value.

maxsl Defines the maximum sensitivity level assigned to this port.
Restriction: This attribute is valid only for Trusted AIX. For more information about Trusted AIX, see Trusted AIX in AIX Version 7.1 Security.
The valid values are defined in the /etc/security/enc/LabelEncodings file. You must define the value in quotation marks (" ") if it has white spaces. The maxsl value dominates the minsl value for the port.

To log in using this port, you must have an effective SL that this value dominates.

tl Defines the integrity level that is assigned to this port.
Restriction: This attribute is valid only for Trusted AIX. For more information about Trusted AIX, see Trusted AIX in AIX Version 7.1 Security.
The valid values are defined in the /etc/security/enc/LabelEncodings file. You must define the value in quotation marks (" ") if it has white spaces.

If this value is NOTL, the user's integrity labels (TLs) are ignored; if this value is not NOTL, the user's effective TL must be equal to this value.

User-Configuration Stanzas

User-configuration stanzas provide configuration information for programs that change user attributes. There is one user-configuration stanza: usw.
Note: Password restrictions have no effect if you are on a network using Network Information Services (NIS). See "Network Information Service (NIS) Overview for System Management" in AIX Version 7.1 Networks and communication management for a description of NIS.

The usw stanza defines the configuration of miscellaneous facilities. The following attributes can be included:

Attribute Definition
authcontroldomain Specifies the domain that controls user authentication through the SYSTEM and registry attributes. If the authcontroldomain attribute is set, the SYSTEM and registry attributes of the users are queried from that domain. The SYSTEM and registry attributes for the local users are always queried from local files regardless of the authcontroldomain setting. The valid values are files or a stanza name that is defined in the /etc/methods.cfg file. The default value is files.
auth_type Defines the route through which all users will be authenticated (in supported applications). The two values to which auth_type can be set are:
PAM_AUTH
Use PAM to authenticate users via the /etc/pam.conf file
STD_AUTH
Use an application's standard means of user authentication. This is the default value.
dist_uniqid Defines the system configuration for resolving ID collision for creating/modifying user/group accounts among registries. The valid values to which dist_uniqid can be set are:
never
Do not check for ID collision against the nontarget registries. This is the default setting.
always
Check for ID collision against all other registries. If a collision is detected between the target registry and any other registry, account creation/modification fails.
uniqbyname
Check for ID collision against all other registries. Collision between registries is allowed only if the account to be created has the same name as the existing account.
Note: ID collision detection in the target registry is always enforced regardless of the dist_uniqid attribute.
logintimeout Defines the time (in seconds) the user is given to type the login name and the password. The value is a decimal integer string. The default is a value of 60. The login session will be timed out if there is no input for login name after the timer has expired.
maxlogins Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login attempts.
Note: Login sessions include rlogins and telnets. These are counted against the maximum allowable number of simultaneous logins by the maxlogins attribute.
maxroles Defines the maximum number of roles that each session allows. This attribute is for use with Enhanced RBAC Mode only. The valid value is an integer value between 1 and 8. The default value is 8.
mkhomeatlogin Specifies whether to create a home directory at login if the home directory does not already exist. The value of this attribute is either true or false. The default value is false.
shells Defines the valid shells on the system. This attribute is used by the chsh command to determine which shells a user can select. The value is a list of comma-separated full path names. The default is /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh, /usr/bin/ksh, or /usr/bin/tsh.
pwd_algorithm Defines the loadable password algorithm to use when you store user passwords. A valid value for this attribute is a stanza name that is defined in the /etc/security/pwdalg.cfg file. The default value is crypt, which is the legacy crypt() algorithm.
unix_passwd_compat Sets the return value of the passwdexpired() function. The valid values for the unix_passwd_compat attribute follow:
true
When this attribute is set as true, the passwdexpired() function returns a non zero value, which is compatible with other UNIX and AIX 5.2 operating systems, when the user password is set to * in the /etc/security/passwd file.
false
When this attribute is set to false, the passwdexpired() function returns 0, when the user password is set to * in the /etc/security/passwd file. This is default value.

Security

Access Control

This command should grant read (r) and write (w) access to the root user and members of the security group.

Auditing Events

Event Information
S_LOGIN_WRITE File name

Examples

A typical port stanza looks like the following:
/dev/tty0:
  sak_enabled = true
  herald = "login to tty0:"
On Trusted AIX systems, the port stanza looks like the following example:
default:
        logindisable = 3
        sak_enabled = false
        logintimes =
        logininterval = 0
        loginreenable = 0
        logindelay = 0
        minsl = IMPL_LO
        maxsl = “TS ALL”
        tl    = TS

Files

Item Description
/etc/security/login.cfg Specifies the path to the file.
/etc/group Contains the basic attributes of groups.
/etc/security/group Contains the extended attributes of groups.
/etc/passwd Contains the basic attributes of users.
/etc/security/passwd Contains password information.
/etc/security/user Contains the extended attributes of users.
/etc/security/environ Contains the environment attributes of users.
/etc/security/limits Contains the process resource limits of users.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/lastlog Contains last login information.
/etc/security/enc/LabelEncodings Contains label definitions for the Trusted AIX system.
/etc/security/pwdalg.cfg Contains configuration information for loadable password algorithms.