Section 6.7 Restricting Login Location and Times

6.7 Restricting Login Location and Times

The /etc/securetty configuration file may be used to limit which terminals root may log in on. However, one still can su to root from any terminal from any account, and crackers may give as many guesses of a user's password as they wish. The login program on Red Hat and Mandrake also offers the /etc/usertty configuration file that allows you to place additional restrictions on when users may log in and from where. It is well documented in login(1). It allows specifying which users may log in from which tty devices, from which remote systems, and at what times. Besides listing remote hosts by names, it allows listing them by numeric address and the number of high-order bits that should be matched.

This allows you to restrict users to logging in from your network. It also enables you to allow certain users to log in from certain networks or IP addresses, perhaps their home systems. Allowing telnet from outside your network is not recommended, as SSH offers a much more secure solution.

You also could modify login to keep track of how many incorrect passwords are given in a row for each account and lock out accounts with too many bad guesses. This probably would take an afternoon to implement.

There is an alternative, PAM, short for Pluggable Authentication Module. It is found in Red Hat and Mandrake but not in Slackware. The online documentation for PAM is in /usr/doc/pam* and on the Web at

www.kernel.org/pub/linux/libs/pam/

There is also some documentation at

news.tucows.com/ext2/99/08/security/081999-security1.shtml

PAM allows limiting logins and su by user, tty, days of the week, time of day, and even system that one is telneting in from. It even allows interfacing the passwd command to cracklib to prevent your users from picking easy-to-crack passwords. The book Linux System Security by Mann & Mitchell gives a very detailed explanation on the use of PAM. See also "The Seven Most Deadly Sins" on page 27.

On Slackware, there are many more capabilities in /etc/login.defs than on other distributions. One can specify the use of the /etc/porttime configuration file to specify which ttys which users can log in on at what times. It can be used to specify that only users listed in GID 0 in /etc/group may su to root. It can be used to enable the use of cracklib to prevent a user from changing her password to one that is easily guessed. The shipped /etc/login.defs file is amply commented to enable a SysAdmin to configure it to her liking without reading additional documentation, except for man foo, to determine the format of whatever file, foo, is referenced by login.defs.

In summary, the Slackware /etc/login.defs allows much of the same capability as PAM. It took me less than five minutes of studying it to understand it.