AIX V6.1 Remote Login Session Management

Provisions for automatic session logoff for regulatory compliance

Regulatory compliances require systems to implement automatic logoff of sessions to enable secure environment. UNIX® based solutions tend to make extensive use of utilities like FTP, TELNET and SSH whose sessions are required to be configured for automatic timeout. This article explains the relationship between automatic logoff and various regulatory compliances. Subsequently, it steps through the administrative procedure required to configure it for FTP, TELNET and SSH over AIX V6.1.

Share:

Bhushan Pradip Jain (bhujain1@in.ibm.com), Associate Software Engineer, IBM  

author photo Bhushan Pradip Jain is a Associate Software Engineer working for the IBM India Software Labs. He has published a technology named as "Policy-Driven File Encryption Explorer Based on OpenPGP" under alphaWorks and is currently working on IBM Unified Scalable Storage. He has also worked for developing Intrusion Detection System and implementation of part of the operating system for a multi-antenna telescope. Bhushan has completed his B.Tech. in Computer Engineering from College of Engineering, Pune(COEP). You can contact him at bhujain1@in.ibm.com.



22 June 2010

Also available in Chinese

Introduction

AIX V6.1 is provisioned with various security features which aid in adherence of various regulatory compliances applicable to different industrial sectors like federal, finance, health care, etc. The functionalities cover from secure data at rest to secure data in transit to login and password management. These features make AIX V6.1 a lucrative UNIX based system to host solutions and applications for regulatory compliance driven industries.

UNIX based systems and solutions tend to make extensive use of remote login and file transfer technologies like FTP, TELNET and SSH not only for administrative tasks but also for various other aspects of the overall solution. Rightful use of such remote login sessions come under the auditing umbrella for various compliances. From a compliance perspective, the two prime factors to be considered for remote login sessions of these utilities are authentication with secure transmission and automatic logoff of remote sessions. While the former can be accomplished via use of Kerberos (see Resources) and similar network security protocol, the latter requires special administrative tuning. In this article, we will map the need of automatic logoff of remote sessions to various compliances and subsequently explain the administrative procedures required for its enablement over AIX V6.1 systems. The article will aid administrators to tune the remote utility sessions on their AIX systems, to adhere to compliances and also address the risk associated with remote sessions.


What is automatic logoff?

Automatic logoff is protection of dormant sessions to a given system (generally remote, but not necessarily) from malevolent usage to help mitigate the risk of malicious attack. Many a times authorized users log into systems using login mechanisms (like SSH, TELNET, FTP and others) and either due to negligence forget to log off from the session or due to inactivity the session remains dormant. In such cases, if a malicious user exploits these sessions, the user can potentially disrupt the system. Automatic logoff feature helps alleviate such risks by automatically disabling the session using recommended time-out values for dormancy.


Regulatory compliance and automatic logoff

There are different regulatory compliances for different industrial sectors mandated by the government. Most of the compliance directly influence the designing, development and deployment of IT solution for businesses to ensure a safe and audited environment. Most of these compliances require automatic logoff facilities for their IT systems to help secure them from malicious influence. For example:

  • The Health Insurance Portability and Accountability Act (HIPAA) provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The HIPAA Security Rule Section 164.312(a)s(2)(iii) titled Automatic logoff indicates the requirement as "Implement procedures to terminate an electronic session after a predetermined time of inactivity" (see Resources).
  • The State of Oklahoma in United States has a special State of Oklahoma Information Security Policy, Procedures and Guidelines which are applied for the protection of the information assets of the state. The State of Oklahoma Information Security Policies requires automatic logoff which states, "Section 7.4: Access Control indicates to timeout a session after 15 minutes of inactivity" (see Resources).
  • Title 21, Part 11 of the U.S. Food and Drug Administration's (FDA) Code of Federal Regulations requires drug makers, medical device manufacturers, biotechnology companies, biologics developers and other FDA-regulated industries (except food manufacturers) to implement controls—including audits, validation systems and documentation—for software and systems involved in processing many forms of data as part of business operations and product development. Section 300(d) indicates "Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management." (see Resources).

The other compliance regulations stating the need for similar functionality are:

  • FERPA: 34 CFR Part 99 [Family Educational Rights and Privacy Act]
  • GLB: 16 CFR Part 314 Standards for Safeguarding Customer Information [section 501(b) of the Gramm-Leach-Bliley Act ("GLB Act")]
  • USA Patriot Act

For more details, see "Information Technology Security Policy" laid down by University of Oklahoma (see Resources).

This states the importance of automatic logoff provisioning for various regulatory compliances. In the next section, we will explain the procedures to enable automatic logoff over most popular remote login utilities over AIX V6.1


Auto logoff procedures for AIX V6.1 (FTP, TELNET, SSH)

File Transfer Protocol (FTP), TELNET and SSH (Secure Shell) are popular AIX V6.1 remote login mechanism used in various ways to meet various purposes within a given solution. AIX V6.1 provides special administrative procedures to help configure auto logoff feature with these utilities. The following explains and provides examples on these procedures:

FTP with automatic logoff feature

In AIX, the inetd daemon provides Internet service management for a network and starts by default every time you start your system. FTP has an ideal session timeout feature but this feature needs to be enabled and the inetd daemon needs to be informed that the connection is to be timed out in case of inactivity for a particular period. The /etc/inetd.conf file (configuration file for inetd) contains details about how the FTP service should behave. As shown below, we edit the /etc/inted.conf file to set the time interval for FTP session inactivity to be 60 seconds. Typically, this value will depend upon the business policy as well as the regulatory compliance guidelines.

Code 1: Configure inetd configuration file for FTP with Automatic Logoff.
(0) root @ motu: 61H (0934A_61H) : / # hostname
motu.in.ibm.com

(0) root @ motu: 61H (0934A_61H) : / # vi /etc/inetd.conf
..........................
..........................

ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd -t 60

..........................
..........................
:wq

Note that the "ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd" entry is usually already present in the /etc/inetd.conf file. You have to just add the timeout value by appending it with "-t 60".

Now the FTP service needs to be restarted for the changes to make effect. The following commands will stop and start the FTP service.

Code 2: Restart FTP subserver.
(0) root @ motu: 61H (0934A_61H) : / # stopsrc -t ftp
0513-127 The ftp subserver was stopped successfully.
(0) root @ motu: 61H (0934A_61H) : / # startsrc -t ftp
0513-124 The ftp subserver has been started.

Let's verify the automatic logoff configuration set above. Once we are successfully connected to the FTP server (verified via basic commands) we will explicitly keep the session dormant for 60 seconds. On execution of any commands thereafter, we should get the message from the server "421 Timeout (60 seconds): closing connection." which indicates that the auto logoff for FTP is successfully configured.

Code 3: Verify the FTP automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # ftp motu.in.ibm.com
Connected to motu.in.ibm.com.
220 motu.in.ibm.com FTP server (Version 4.2 Wed Jun 3 15:43:49 CDT 2009) ready.
Name (motu.in.ibm.com:root): root
331 Password required for root.
Password:
230-Last unsuccessful login: Mon Oct 26 12:20:34 IST 2009 on /dev/pts/0 from 
ssingh11.in.ibm.com

230-Last login: Tue Nov 24 15:36:56 IST 2009 on ftp
230 User root logged in.
ftp> cd
(remote-directory) /
250 CWD command successful.
ftp> lcd
Local directory now /
ftp> cd
(remote-directory) /
421 Timeout (60 seconds): closing connection.
ftp> quit

Note that even though the FTP server had automatically closed the connection after 60 seconds on inactivity, the client will only be informed when it tries to execute a command after the timeout.

Secure TELNET with automatic logoff feature

The auto logoff provision for TELNET on AIX V6.1 is controlled via parameters listed in /etc/profile. The /etc/profile file is an administrator governed system configuration file which controls system-wide default variables for all users. To prevent potential security hazard from users leaving their accounts unattended, the administrator can set an environment variable named "TMOUT" in /etc/profile, which also governs the auto logout for TELNET (as shown below). In the example below, the first command TMOUT=<time interval in seconds> sets the time interval for the inactivity that will lead to an automatic logoff from the session. Here, we have set the value to 60 seconds. This value will depend upon the business policy as well as the regulatory compliance guidelines. The next command declares this environment variable as read-only so that no user (other than the administrator) can override this default value to have the session opened for longer that the inactivity time interval set. On the subsequent remote logins to the system, the environment variable "TMOUT" will be set as read-only and with inactivity value as 60 seconds.

Code 4: Configure profile configuration file for automatic logoff.
(0) root @ motu: 61H (0934A_61H) : / # vi /etc/profile
..........................
..........................

TMOUT=60
readonly TMOUT

..........................
..........................
:wq!

Let us verify the previous settings. As shown below, when we TELNET to the machine, the command "echo $TMOUT" gives an output as 60 indicating that the new value is set appropriately. Also, it can be seen that the value of the variable cannot be changed as we set it to read-only. Subsequently, if we keep the TELNET session inactive for 60 seconds, the session is automatically logged off (as seen below) thus successfully enabling automatic session logoff for TELNET over AIX V6.1. Note that in the listing below we are using a bash shell:

Code 5: Verify the TELNET automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # telnet motu.in.ibm.com
Trying...
Connected to motu.in.ibm.com.
Escape character is '^]'.


telnet (motu.in.ibm.com)

AIX Version 6
Copyright IBM Corporation, 1982, 2009.
login: root
root's Password:
*****************************************************************************
*                                                                           *
*                                                                           *
*  Welcome to AIX Version 6.1!                                              *
*                                                                           *
*                                                                           *
*  Please see the README file in /usr/lpp/bos for information pertinent to  *
*  this release of the AIX Operating System.                                *
*                                                                           *
*                                                                           *
*****************************************************************************
Last unsuccessful login: Mon Oct 26 12:20:34 IST 2009 on /dev/pts/0 from
ssingh11.in.ibm.com

Last login: Tue Nov 24 15:40:50 IST 2009 on /dev/pts/1

(0) root @ motu: 61H (0934A_61H) : / # echo $TMOUT
60
(0) root @ motu: 61H (0934A_61H) : / # echo $SHELL
/usr/bin/bash
(0) root @ motu: 61H (0934A_61H) : / #  export TMOUT=200
-bash: TMOUT: readonly variable
(1) root @ motu: 61H (0934A_61H) : / # timed out waiting for input: auto-logout
Connection closed.
(0) root @ motu: 61H (0934A_61H) : / #

Note that if the system is restarted after committing the changes to /etc/profile, the timeout value will not only be set for remote login but will also be set for physical login.

Secure SSH with automatic logoff feature

A lot of solutions prefer SSH over TELNET for its default secure behavior. Incidentally, the configurations done for auto logoff of TELNET in the /etc/profile file (explained previously) are also applicable for SSH.

So, instead of TELNET let us SSH into the machine and test the behavior. We shall SSH into the machine using other user than root whose default shell is set to be ksh (Korn shell). Once we log in to the system, we execute a series of commands similar to the ones previously executed to confirm that the value of the environment variable "TMOUT" is actually set to 60, and that the variable is indeed read-only and the value cannot be changed. Now after inactivity for 60 seconds, we get a connection closed message from the remote machine, which indicates that the auto logoff is successfully set for SSH.

Code 6: Verify the SSH automatic logoff functionality.
(0) root @ motu: 61H (0934A_61H) : / # ssh bhushan@motu.in.ibm.com
bhushan's Password:
1 unsuccessful login attempt since last login.
Last unsuccessful login: Tue Nov 24 18:35:22 IST 2009 on ssh
Last login: Tue Nov 24 18:27:43 IST 2009 on /dev/pts/2
*****************************************************************************
*                                                                           *
*                                                                           *
*  Welcome to AIX Version 6.1!                                              *
*                                                                           *
*                                                                           *
*  Please see the README file in /usr/lpp/bos for information pertinent to  *
*  this release of the AIX Operating System.                                *
*                                                                           *
*                                                                           *
*****************************************************************************
Could not chdir to home directory /home/bhushan: A file or directory in the 
path name does not exist.

$ echo $TMOUT
60
$ echo $SHELL
/usr/bin/ksh
$ export TMOUT=200
ksh: TMOUT: This variable is read only.
$ pwd
/
Shell will time out in 60 seconds.
ksh: Timed out waiting for input.
Connection to motu.in.ibm.com closed.
(1) root @ motu: 61H (0934A_61H) : / #

Note that for AIX V6.1, the type of shell or the user account type does not have any effect over the behavior of the auto timeout feature enabled by setting the TMOUT environment variable in /etc/profile file. Moreover this environment variable ensures auto timeout after inactivity for the interval of time for any login mechanism used to log into the system.


Conclusion

In this article, we have described the importance of automatic logoff and its relation with regulatory compliances. We have learned the administrative procedures required to set automatic logoff for FTP, TELNET and SSH sessions on AIX V6.1 which will help for regulatory compliance and enable a secure environment.

Acknowledgement

The author sincerely acknowledges Sandeep R Patil (rsandeep@in.ibm.com) from IBM Corporation for his valued insights, exposure and motivation to write this article and help convey the subject to the community, customers and practitioners.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=497464
ArticleTitle=AIX V6.1 Remote Login Session Management
publish-date=06222010