authsh(ADM)


authsh -- administrator interface for authorization subsystem

Syntax

/usr/lib/sysadm/authsh

Description

authsh is the screen interface invoked by the sysadmsh(ADM) Accounts selection to administer the authorization subsystem. It is a full screen menu-driven interface that provides the functions necessary to control the generation and maintenance of user and system passwords, the terminal database configuration, terminal and account locking, and the generation of administrator reports on system activity.

The functions supported by the main level menu are:


User
This category of screen interfaces is provided for the setup and maintenance of user accounts and user account passwords. The screens are used to add, update, display, and delete user accounts from the system. Also, modifications to user account passwords or modifications to the various criteria controlling the generation of account passwords is accomplished using this menu option.

Defaults
These options are provided for the maintenance of system-wide parameters like default privileges, password expiration, password lifetime, single-user password requirement, restrictive password generation, and the delay time between login attempts. These parameters apply on a global system basis rather than a user account basis.

Terminal
The terminal database interface screens are used for the maintenance of the database entries to support the addition, deletion, and update of terminal information. Additionally, this category includes the necessary screens for setting and clearing locks on specific terminals.

Report
This category provides the administrator with a method of generating various reports on system activity. Report types include password database, terminal database, and login activity reports.

Check
This option provides the administrator with a consistency check on databases (protected password, terminal control database, and subsystem database) and the password file (/etc/passwd). The password check returns system account warning messages. This option is not normally used.

/etc/default/authsh fields

The field values of /etc/default/authsh are:

LOGIN_GROUP
Name of default login group. Must exist in /etc/group.

OTHER_GROUPS
List of groups the user is to be a member of. Each group listed must exist in /etc/group. The LOGIN_GROUP does not need to be included in this list. The groups in the list may be separated by commas (,) or spaces.

SHELL
Name of default login shell, either the name of a shell defined in /usr/lib/mkuser, or the full pathname of an executable file. Note that the empty name is legal but is not equivalent to either sh or /bin/sh.

HOME_DIR
Default absolute pathname of parent directory of user's home directory. The home directory itself has the same name as the user. This parent directory must be r/w/x by group auth.

HOME_MODE
Default permissions for the user's home directory. Note that both HOME_DIR and HOME_MODE default settings can be overridden on a shell-specific and/or path-specific basis.

USER_TYPE
Default type of user:

Individual -- individual's personal account, used by one person, and one person only.
Operator, Administrator, Security Officer -- various classifications of accounts potentially used by more than one individual.
Pseudo-user -- anonymous account never directly used by a user.

All user types except Individual must have an associated account which is allowed to su(C) to the user.


UID
MIN_ADMIN_UID to MAX_ADMIN_UID, inclusive: UID values the administrator may choose.

MIN_SUGGEST_UID to MAX_SUGGEST_UID, inclusive: UID values the system may suggest.

Note that UIDs less than 200 are reserved and should not be used.


GID
Similar to UID ranges.

Note that GIDs less than 100 are reserved and should not be used.


MIN_USER_NAME
Minimum length of an acceptable user name (default: 3 characters).

MAX_USER_NAME
Maximum acceptable length of a user name (maximum of 8 characters).

MIN_GROUP_NAME
Minimum length for a group name (default: 3 characters).

MAX_GROUP_NAME
Maximum length for a group name (default: 8 characters).

Limitations

Invoking authsh is not recommended; use the sysadmsh Accounts selection.

Files

/etc/group
/etc/passwd
/tcb/files/auth/[a-z]*
/etc/auth/subsystems/*
/etc/auth/system/*
/etc/default/authsh

See also

passwd(C)

``Maintaining system security'' in Managing system security

Standards conformance

authsh is not part of any currently supported standard; it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005