AIX - Enhanced login privacy
Abstract This TIP describes how to increase the login security by masking the user name from the login so that someone watching does not know the identity of the user logged in. For related information about this topic, refer to the following IBM Redbooks publication: AIX 5L Differences Guide Version 5.2 Edition, SG24-5765-02
Contents
Enhanced login privacy for AIX 5L Version 5.2.0
AIX 5L Version 5.2 now supports enhanced security options regarding the user’s interface. On the default AIX’s login screen, the user name is visible when entered and the password line also includes the user name. In some security environments, displaying the user name on the screen is considered a security exposure. In Version 5.2, the administrator has the option to change the login password prompt and to hide the user name from login and system messages. These settings can be configured as the system default or on a per port basis. See the following example for the default behavior for logging in with telnet. The user is logging in as test9 and the user name test9 is displayed twice. The /usr/bin/su command also echoes the user name test8 in the password prompt. telnet (server1) AIX Version 5 (C) Copyrights by IBM and by others 1982, 2000. login: test9 test9's Password: ... $ su - test8 test8's Password: $ The new attributes for login privacy are located in /etc/security/login.cfg. The pwdprompt attribute defines the password prompt message when asking for the password during login. The usernameecho attribute is a boolean value that determines whether the user name is displayed during login and security related messages. If usernameecho is false, the user name will be hidden during login and security related messages. If usernameecho is true (the default), user names are displayed as normal. To set these attributes on a per port basis, you must create a new stanza if necessary for that port (for example, /dev/lft0) and add the attributes to that port. If you want to make these attributes system -wide, add them to the default stanza. Attributes in the port-specific stanza will override attributes in the default stanza. The following example shows the result of changing the system-wide password prompt to Password:. # chsec -f /etc/security/login.cfg -s default -a pwdprompt="Password:" telnet (server1) AIX Version 5 (C) Copyrights by IBM and by others 1982, 2000. login: root Password: In the following example, the password prompt is reset to default and usernameecho is set to false. The output for the telnet session is below. Notice that the user names displayed for the /usr/bin/su and /usr/bin/passwd commands are hidden. # chsec -f /etc/security/login.cfg -s default -a pwdprompt= # chsec -f /etc/security/login.cfg -s default -a usernameecho=false telnet (server1) AIX Version 5 (C) Copyrights by IBM and by others 1982, 2000. login: *****'s Password: ... $ passwd Changing password for "*****" *****'s Old password:
�*****'s New password: Enter the new password again: $ su - test8 3004-500 User "*****" does not exist. $ su - test4 *****'s Password: The following example shows how to specify the usernameecho attribute for a specific port (for example, /dev/lft0). Attributes specified in per port stanzas override the default stanza. chsec -f /etc/security/login.cfg -s /dev/lft0 -a usernameecho=false With the password prompt attribute pwdprompt set, the specified string is used by the su command when invoked by a non-root user, but the string will not be used by the passwd command to change the existing user password.
�