Users gain access to the system through "accounts." This is the first level of security. Although it is possible to configure applications that start directly on specific terminals, almost everyone has logged into an Linux system at least once. More that likely, if you are one of those people who never login, you never see a shell prompt and are probably not reading this book.
Most Linux systems have a standard login. The figure below shows what the login process looks like. You see the name of the system, followed by a brief message (the contents of /etc/issue) and the login prompt, which usually consists of the system name and the word login. This is a text file, so you can edit it as you please. Because it is read dynamically, the changes will appear the next time someone tries to log in. After the contents of /etc/issue, you see the login prompts, such as
jmohr!login:
When you login, you are first asked your user name and your password. Having been identified and your password verified, you are allowed access to the system. This often means that the system starts a shell for you. However, many programs can be used in place of a shell.
One entry in the password file is your home directory, the directory that you have as your current directory when you log in. This is also the place to which the shell returns you if you enter cd with no arguments.
After determining your login shell and placing you in your home directory, the system will set up some systemwide defaults. If you have a Bourne or Bourne Again-shell, these are done through the /etc/profile file. If bash is your login shell, the system runs through the commands stored in the .profile in your home directory then the .bashrc file, provided they exist. If you have sh, then there is no equivalent for the .bashrc file. If you have a Z-shell, the system defaults are established in the /etc/zprofile file. The system then executes the commands in the .zshrc and .zlogin files in your home directory, provided they exist. See the appropriate man-page and the section on shell basics for more details.
During the login process, you are shown several pieces of information about the local system. Before the login prompt, you usually see the contents of the /etc/issue file, as I mentioned earlier. After your login is successful, you will normally see a message about the last login and the message of the day. The message of the day is the contents of the file /etc/motd.
In some cases, all of this information is bothersome. For example, many businesses have either menus that their users log into or applications that start from their users .profile or .login. In some cases, the information is of little value.
In some cases, even knowing that this is an UNIX system could be a problem. There are many hackers in the world who would just love the chance to try to crack your security. By not even telling them what kind of system you have, you reduce the amount by which they are tempted. At least, that's one more piece of information that they need to figure out. Therefore, we need a way to disable these messages.
The two obvious ways are by using /etc/issue and /etc/motd. By default, both of these files contain information about your system. By either changing the contents or removing the files altogether, you can eliminate that source of information.
Another way is the login: prompt itself. Again, by default, this prompt contains the name of your system. This may not concern most system administrators, however, in cases where security is an issue, I might like to disable it. The prompt comes from the /etc/gettydefs file. The gettydefs file contains information the getty program uses when it starts the login program on a terminal. The more common lines in the gettydefs file contain an entry that looks like this:
@S login:
Take a look at the
login:prompt and you will see that it also contains the literal string login: immediately following the name of the system. The name of the system comes from @S. By changing either of the parts (or both), you can change the appearance of your login prompt, even removing the name of the system, if you want.
The getty(1m) man-page contains a list of the different information that you can include with the login: prompt. If you are providing PPP services, I recommend that you do not cahnge anything in your login prompt, such as the date/time or the port name. This makes creating chat scripts difficult, as the users trying to login will not know what to expect.
At this point, we are left with the last login messages. Unfortunately, these are not contained in files that are as easily removed as /etc/motd and /etc/issue. However, by creating a file, the file .hushlogin in your home directory, we can remove them. It has no contents; rather, the existence of this file is the key. You can create it simply by changing to a users home directory (yours, if you are that user) and running
Often administrators want to keep users' knowledge of the system as limited as possible. This is particularly important for systems with a high level of security in which users start applications and never see the shell prompt. One give-away to what kind of system you are on is the following line when you login:
Last login: ...
System administrators often call support asking for a way to turn this feature off. Fortunately, there is a way. This, too, is disabled by creating the .hushlogin file. Once this functionality is enabled, you can simplify things by having this file created every time a new user is created. This is done by simply adding the .hushlogin file to the /etc/skel directory. As with every other file in this directory, it will be copied to the user's home directory whenever a new user is created.
One thing to consider before you turn this feature off is that seeing when the last login was done may indicate a security problem. If you see that the last login was done at a time when you were not there, it may indicate that someone is trying to break into your account.
You can see who is currently logged in by running either the who or w command. These commands are kept in the file utmp in your system log directory (/usr/adm, /var/log, etc). Once the system reboots, this information is gone.
You can also see the history of recent logins by using the last command. This information is kept in wtmp in the system log directory. This command is kept between reboots and, depending on how active your system gets, I have seen this file grow to more than a megabyte. Therefore, it might not be a bad idea to truncate this file at regular intervals. (Note that some Linux distributions do this automatically.)
One way to limit security risks is to keep the root account from logging in from somewhere other than the system console. This is done by setting the appropriate terminals in /etc/securetty. If root tries to log into a terminal that is not listed here, it will be denied access. It is a good idea to list only terminals that are on the system console (tty1, tty2, etc.).
If you really need root access, you can use telnet from a regular account and then su to root. This then provides a record of who used su.
No comments:
Post a Comment