User account control

User accounts have attributes that can be altered.

Each user account has a set of associated attributes. These attributes are created from default values when a user is created by using the mkuser command. The attributes can be altered by using the chuser command. The following are the user attributes that control login and are not related to password quality:

account_locked

If an account must be explicitly locked, this attribute can be set to True; the default is False.

admin

If set to True, this user can not change the password. Only the administrator can change it.

admgroups

Lists groups for which this user has administrative rights. For those groups, the user can add or delete members.

auth1

The authentication method that is used to grant the user access. Typically, it is set to SYSTEM, which will then use newer methods.

Note: The auth1 attribute is deprecated and should not be used.

auth2

Method that runs after the user has been authenticated by whatever was specified in auth1. It cannot block access to the system. Typically, it is set to NONE.

Note: The auth2 attribute is deprecated and should not be used.

daemon

This boolean parameter specifies whether the user is allowed to start daemons or subsystems with the startsrc command. It also restricts the use of the cron and at facilities.

login

Specifies whether this user is allowed to log in. A successful login resets the unsuccessful_login_count attribute to a value of 0 (from the loginsuccess subroutine).

logintimes

Restricts when a user can log in. For example, a user might be restricted to accessing the system only during normal business hours.

registry

Specifies the user registry. It can be used to tell the system about alternate registries for user information, such as NIS, LDAP, or Kerberos.

rlogin

Specifies whether the specified user can log in by using the rlogin or the telnet command. The rlogin attribute only controls remote login. For information about controlling the ability to run individual remote commands, see rcmds.

su

Specifies whether other users can switch to this ID with the su command.

sugroups

Specifies which groups are allowed to switch to this user ID.

ttys

Limits certain accounts to physically secure areas.

expires

Manages student or guest accounts; also can be used to turn off accounts temporarily.

loginretries

Specifies the maximum number of consecutive failed login attempts before the user ID is locked by the system. The failed attempts are recorded in the /etc/security/lastlog file.

umask

Specifies the initial umask for the user.

rcmds

Specifies whether the specified user can run individual commands by using the rsh command or the rexec command. The value allow indicates that you can run commands remotely by using the rsh and rexec commands. A value deny indicates that you cannot run commands remotely. The value hostlogincontrol indicates that running remote commands is controlled by the hostallowedlogin and hostsdeniedlogin attributes. For information about controlling remote login, see the rlogin attribute.

hostallowedlogin

Specifies the hosts which permit the user to login. This attribute is intended to be used in a networked environment where user attributes are shared by multiple hosts.

hostsdeniedlogin

Specifies the hosts which do not permit the user to login. This attribute is intended to be used in a networked environment where user attributes are shared by multiple hosts.

maxulogs

Specifies the maximum number of logins per user. If the user has reached the maximum number of allowed logins, login will be denied.

The complete set of user attributes is defined in the /etc/security/user, /etc/security/limits, /etc/security/audit/config and /etc/security/lastlog files. The default for user creation with the mkuser command is specified in the /usr/lib/security/mkuser.default file. Only options that override the general defaults in the default stanzas of the /etc/security/user and /etc/security/limits files, as well as audit classes, must be specified in the mkuser.default file. Several of these attributes control how a user can log in, and they can be configured to lock the user account (prevent further logins) automatically under specified conditions.

After the user account has been locked by the system due to the number of unsuccessful login attempts, the user is not able to log in until the system administrator resets the user unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than the value of login retries. This can be done using the following chsec command, as follows:

chsec -f /etc/security/lastlog -s username -a
unsuccessful_login_count=0

The defaults can be changed by using the chsec command to edit the default stanza in the appropriate security file, such as the /etc/security/user or /etc/security/limits files. Many of the defaults are defined to be the standard behavior. To explicitly specify attributes that are set every time that a new user is created, change the user entry in /usr/lib/security/mkuser.default.

For information on extended user password attributes, refer to Passwords.