12.6 HP-UX and Tru64 Terminal Line Attributes

Under HP-UX and Tru64, the enhanced security facility provides a mechanism for specifying several security-related terminal line attributes. Default values applying to all terminals without explicitly set overrides are found in the t_ fields of the default file, stored in /etc/auth/system under Tru64 and /tcb/files/auth/system under HP-UX.

Here is an example from a Tru64 system:

default:\        :d_name=default:\         ...        :t_logdelay#2:t_maxtries#10:t_unlock#0:\        :t_login_timeout#15:chkent:

These are the settable terminal line attribute fields, which may be used in the default file and in the ttys file; the latter contains entries for each terminal line on the system and is located in /etc/auth/system under Tru64 (in binary form, as ttys.db) and in /tcb/files/auth/system under HP-UX:

t_maxtries

Terminal will be automatically locked after t_maxtries+1 consecutive login failures.

t_logdelay

Indicates the number of seconds to wait after an unsuccessful login attempt before giving the next prompt.

t_lock

Indicates that the terminal line is locked (t_lock@ means unlocked).

t_login_timeout

Number of seconds after which to abort an incomplete login.

t_unlock

Number of seconds after which to unlock a terminal locked due to too many unsuccessful login attempts (Tru64 only). A value of 0 means that the terminal line must be explicitly unlocked by the system administrator.

Here is an example ttys entry:

tty02:t_devname=tty02:t_uid=root:t_logtime#791659419:\   :t_unsucuid=wang:t_unsuctime#793396080:t_prevuid=chavez:\   :t_prevtime#791659434:t_failures#4:t_maxtries#8:t_logdelay#5:\   :t_login_timeout#20:chkent:

In addition to the specific security attributes, the entry also holds information about recent login activity on that terminal line: the UID and time of the most recent successful login, last unsuccessful login attempt, and most recent logout from this terminal; and the number of consecutive login failures (this is reset to 0 after a successful login). See the ttys manual page for details on all terminal line-related attributes.

In addition, the v_users attribute in the devassign file can specify a comma-separated list of users who may access each device on the system; see the devassign manual page for more information.