6. Execs the login program.
The steps that are relevant to the identification and authorization subsystem are step 5, which prompts for the user’s login name, and step 6, which executes the login program. The administrator can also use a
5.11.3.2gpasswd
The gpasswd program administers the /etc/group and /etc/gshadow files. gpasswd allows system administrators to designate group administrators for a particular group. Refer to the gpasswd man page for more detailed information. Group passwords are not used on the TOE.
5.11.3.3login
The login program is used to authenticate a user signs to the TOE. If root is trying to log in, the program makes sure that the login attempt is being made from a secure terminal listed in /etc/securetty. login prompts for the password and turns off the terminal echo in order to prevent displaying the password as it is being typed by the user. login then verifies the password for the account. If an initial password is not set for a newly created account, the user is not allowed to log in to that account. Unsuccessful login attempts are tallied, and access is denied, if the number of failed attempts exceeds the number specified as argument to the pam_tally.so module (deny=5). Once the password is successfully verified, various password aging restrictions, which are set up in /etc/login.defs, are checked. If the password has expired, the login program requests the user to change his or her password. If the password age is satisfactory, the program sets the user ID and group ID of the process, changes the current directory to the user’s home directory, and executes the shell specified in the /etc/passwd file. Refer to the login man page for more detailed information. Login generally follows these steps:
1.Sets language.
2.Parses
3.Checks the tty name.
4.Sets the process group ID.
5.Gets control of the tty by killing processes left on this tty.
6.Calls pam_start() to initialize PAM data structures, including hostname and tty.
7.If a password is required and a username is not yet set, it prompts for a user name.
8.It calls pam_authenticate() in a loop to cycle through all configured methods. Audit records are created with the success and failure result of each configured authentication method.
9.If failed attempts exceed the maximum allowed, it exits.
10.Performs account management by calling pam_acct_mgmt().
11.Sets up supplementary group list.
12.Updates the utmp and wtmp files.
13.Changes ownership of the tty to the login user. When the user logs off, the ownership of the tty reverts back to root.
14.Changes the access mode of the tty.
15.Sets the primary group ID.
16.Sets environment variables.
177
