Users gain access to the system through "accounts." This is the first level
of security. Although it is possible to configure applications that start
directly on specific terminals, almost everyone has logged into an Linux system
at least once. More that likely, if you are one of those people who never login,
you never see a shell
prompt and are probably not reading this book.
Most Linux systems have a standard login.
The figure below shows what the login process looks
like. You see the name of the system, followed by a brief message (the contents
of /etc/issue) and the login
prompt, which usually consists of the system name
and the word login.
This is a text file, so you can edit it as you please.
Because it is read dynamically, the changes will appear the next time someone tries
to log in. After the contents of /etc/issue, you see the login
When you login,
you are first asked your user name
and your password. Having been identified and your password verified, you are
allowed access to the system. This often means that the system starts a shell
for you. However, many programs can be used in place of a shell.
Image - The login process.(interactive)
entry in the password file is your home directory,
the directory that you have
as your current directory when you log in. This is also the place to which the
shell returns you if you enter cd with no arguments.
After determining your login
shell and placing you in your
the system will set up some systemwide defaults. If you have a Bourne or
Bourne Again-shell, these are
done through the /etc/profile file. If bash is your login
the system runs
through the commands stored in the .profile in your home directory
.bashrc file, provided they exist. If you have sh, then there is no equivalent
for the .bashrc file. If you have a Z-shell, the system defaults are established
in the /etc/zprofile file. The system then executes the commands in the .zshrc
and .zlogin files in your home directory,
provided they exist. See the appropriate man-page
and the section on shell
basics for more details.
During the login
process, you are shown several pieces of information
about the local system. Before the login
prompt, you usually see the contents of
the /etc/issue file, as I mentioned earlier. After your login
is successful, you
will normally see a message about the last login
and the message of the day. The
message of the day is the contents of the file /etc/motd.
In some cases,
all of this information is bothersome. For example, many businesses have either
menus that their users log into or applications that start from their users
.profile or .login. In some cases, the
information is of little value.
In some cases, even knowing that this is an UNIX
system could be a
problem. There are many hackers in the world who would just love the chance to
try to crack your security.
By not even telling them what kind of system you
have, you reduce the amount by which they are tempted. At least, that's one more
piece of information that they need to figure out. Therefore, we need a way to
disable these messages.
The two obvious ways are by using /etc/issue and
/etc/motd. By default, both of these files contain information about your
system. By either changing the contents or removing the files altogether, you
can eliminate that source of information.
Another way is the login: prompt itself. Again, by default, this prompt contains the name of your system. This
may not concern most system administrators, however, in cases where security
is an issue, I might like to disable it. The prompt comes from the
file. The gettydefs file contains information the getty program uses when it
starts the login program on a
terminal. The more common lines in the gettydefs
file contain an entry that looks like this:
Take a look
login: prompt and you will see that it also contains the literal string
login: immediately following the name of the system. The name of the system
comes from @S. By changing either of the parts (or both), you can change the
appearance of your login
prompt, even removing the name of the system, if you
The getty(1m) man-page contains a list of the different information
that you can include with the login: prompt. If you are providing PPP
services, I recommend that you do not cahnge anything in your login
prompt, such as the date/time or the port name. This makes creating chat scripts difficult, as
the users trying to login will not know what to expect.
At this point, we
are left with the last login
messages. Unfortunately, these are not contained in
files that are as easily removed as /etc/motd and
/etc/issue. However, by
creating a file, the file .hushlogin in your home directory,
remove them. It has no contents; rather, the existence of this file is the key.
You can create it simply by changing to a users home directory
(yours, if you are that user) and running
Often administrators want to keep users' knowledge of the system as limited as possible. This is
particularly important for systems with a high level of security
in which users start applications and never see the shell
prompt. One give-away to what kind of system you are on is the following line when
Last login: ...
System administrators often call support asking for a way to turn this
feature off. Fortunately, there is a way. This, too, is disabled by creating the
.hushlogin file. Once this functionality is enabled, you can simplify things by
having this file created every time a new user is created. This is done by
simply adding the .hushlogin file to the /etc/skel directory. As with every
other file in this directory, it will be copied to the user's home directory
whenever a new user is created.
One thing to consider before you turn this feature off is that seeing when the
last login was done may indicate a security
problem. If you see that the last login
was done at a time when you were not there, it may indicate that someone is
trying to break into your account.
You can see who is currently logged in by running either the who
or w command. These commands are kept in the file utmp in your system log
directory (/usr/adm, /var/log, etc). Once the system reboots, this information
You can also see the history of recent logins by using the last
command. This information is kept in wtmp in the system log directory. This
command is kept between reboots and, depending on how active your system gets, I
have seen this file grow to more than a megabyte.
Therefore, it might not be a
bad idea to truncate this file at regular intervals. (Note that some Linux
distributions do this automatically.)
One way to limit security
to keep the root account
from logging in from somewhere other than the system
console. This is done by setting the appropriate terminals in /etc/securetty. If
root tries to log into a terminal
that is not listed here, it will be denied
access. It is a good idea to list only terminals that are on the system console
(tty1, tty2, etc.).
If you really need root access, you can use telnet
from a regular account
and then su to root. This then provides a record of who