User authentication
Identification and authentication are used to establish a user's identity.
Each user is required to log in to the system. The user supplies the user name of an account and a password if the account has one (in a secure system, all accounts must either have passwords or be invalidated). If the password is correct, the user is logged in to that account; the user acquires the access rights and privileges of the account. The /etc/passwd and /etc/security/passwd files maintain user passwords.
By default users are defined in the Files registry. This means that user account and group information is stored in the flat-ASCII files. With the introduction of plug-in load modules, users can be defined in other registries too. For example, when the LDAP plug-in module is used for user administration, then the user definitions are stored in the LDAP repository. In this case there will be no entry for users in the /etc/security/user file (there is an exception to this for the user attributes SYSTEM and registry). When a compound load module (i.e. load modules with an authentication and database part) is used for user administration, the database half determines how AIX® user account information is administrated, and the authentication half describes the authentication and password related administration. The authentication half may also describe authentication-specific user account administration attributes by implementing certain load module interfaces (newuser, getentry, putentry etc).
The method of authentication is controlled by the SYSTEM and
registry attributes that are defined in the /etc/security/user
file. A system administrator can define the authcontroldomain
attribute
to the /etc/security/login.cfg file to force
the SYSTEM and registry attributes to be retrieved from the authcontroldomain
.
For instance, authcontroldomain=LDAP
forces the system
to look for user's SYSTEM and registry from LDAP to determine
the authentication method that was used for the user. There is an
exception for locally defined users where the authcontroldomain
setting
is ignored , and the SYSTEM and registry are always retrieved
from /etc/security/user file.
The acceptable token for the authcontroldomain
attribute
is files or a stanza name from the /usr/lib/security/methods.cfg file.
The value of the SYSTEM attribute is defined through a grammar.
By using this grammar, the system administrators can combine one or
more methods to authenticate a particular user to the system. The
well known method tokens are compat
, DCE
, files
and NONE
.
The system default is compat
. The default SYSTEM=compat
tells
the system to use the local database for authentication and, if no
resolution is found, the Network Information Services (NIS) database
is tried. The files
token specifies that only local
files are to be used during authentication, whereas SYSTEM=DCE
results
in a DCE
authentication flow.
The NONE
token turns off method authentication.
To turn off all authentication, the NONE
token must
appear in the SYSTEM
and auth1
lines
of the user's stanza.
You can specify two or more methods and combine them with the logical
constructors AND
and OR
. For instance SYSTEM=DCE
OR compat
indicates
that the user is allowed to login if either DCE
or
local authentication (crypt()) succeeds in this given order.
In a similar fashion a system administrator can use authentication
load module names for the SYSTEM attribute. For instance when SYSTEM attribute
is set to SYSTEM=KRB5files
OR compat
,
the AIX host will first
try a Kerberos flow for authentication and if it fails, then it will
try standard AIX authentication.
SYSTEM and registry attributes are always stored on the local file system in the /etc/security/user file. If an AIX user is defined in LDAP and the SYSTEM and registry attributes are set accordingly, then the user will have an entry in the /etc/security/user file.
The SYSTEM and registry attributes of a user can be changed using the chuser command.
Acceptable tokens for the SYSTEM attribute can be defined in the /usr/lib/security/methods.cfg file.
SYSTEM=compat
in
the/etc/security/user file.Alternative methods of authentication are integrated into the system by means of the SYSTEM attribute that appears in /etc/security/user. For instance, the Distributed Computing Environment (DCE) requires password authentication but validates these passwords in a manner different from the encryption model used in etc/passwd and /etc/security/passwd. Users who authenticate by means of DCE can have their stanza in /etc/security/user set to SYSTEM=DCE.
Other SYSTEM attribute values are compat, files,
and NONE. The compat
token is used when name
resolution (and subsequent authentication) follows the local database,
and if no resolution is found, the Network Information Services (NIS)
database is tried. The files
token specifies that
only local files are to be used during authentication. Finally, the NONE
token
turns off method authentication. To turn off all authentication, the NONE
token
must appear in the SYSTEM and auth1 lines of the user's
stanza.
Other acceptable tokens for the SYSTEM attribute can be defined in /usr/lib/security/methods.cfg.
SYSTEM = "compat"
in /etc/security/user.See Operating system and device management for more information on protecting passwords.
Login user IDs
All audit events recorded for this user are labeled with this ID and can be examined when you generate audit records. SeeOperating system and device management for more information about login user IDs.