You are on page 1of 4

2/17/2014

AIX for System Administrators


Share

More

Next Blog

AIX for System Administrators


Practical Guide to AIX
...any feedback are highly welcome: aix4adm@gmail.com

ABOUT

FS - LVM

GENERAL

HACMP - POWERHA

HMC - ISD

NETWORK

NIM

PERFORMANCE

STORAGE

UPDATE - INSTALL

VIO

+EXTRAS

USER LOGIN PROCESS:

LOGIN PROCESS DESCRIPTION:


1. getty:
The file /etc/inittab contains possible ports for login (i.e. console). When init runs, a getty process is started for each port listed in
that file. The process "getty" provides a login prompt on the terminal attached to that port. The actual message displayed (also known as the
herald) by the getty process is defined in /etc/security/login.cfg (i.e. console login and password...). Once this is displayed getty process
waits for a user to make a login attempt.
-------------2. login:
First user name is entered. The login program checks /etc/passwd and /etc/security/passwd to see if a password is required. If a password is
required or the user name doesn't match a valid name, the Password: prompt is displayed.
-------------3. invalid:
If an invalid user name was given or the password is incorrect an entry is made in /etc/security/failedlogin.
root@bb_lpar: / # who /etc/security/failedlogin
root
vty0
Jun 08 12:50
<--username was valid, but password was incorrect
UNKNOWN_
vty0
Jun 08 13:20
<--invalid username

If the user name is valid, but the password is incorrect, the number of failed attempts are tracked in /etc/security/lastlog.
root@bb_lpar: / # cat /etc/security/lastlog
root:

http://aix4admins.blogspot.com/2012/06/user-login-process-login-process.html

1/4

2/17/2014

AIX for System Administrators


time_last_login = 1339152601
tty_last_login = /dev/pts/0
host_last_login = server.domain.com
unsuccessful_login_count = 2
<--this shows the number of failed login attemts of a user

(or you can check that with command "lsuser")


-------------4. valid:
If a user name and password is correct, the usw stanza in /etc/security/login.cfg is checked. This stanza sets the maximum number of
concurrent logins in the systemt. If that number is exceeded, the login is denied.

root@bb_lpar: /etc/ssh # cat /etc/security/login.cfg


usw:
shells = /bin/sh,/bin/bsh,/bin/csh...
maxlogins = 32767
<--this shows maximum concurrent logins on the system
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
-------------5. setup environment:
If everything is successful, then the user's environment is set using:
/etc/environment
/etc/security/environ
/etc/security/limits
/etc/security/user

<--base environment settings (PATH, TZ, LANG...)


<--defines the environment attributes for users (it is not used too much by users)
<--defines process resource limits for users (fsize, rss, nofiles...)
<--contains the most important settings, outside of the basics in /etc/passwd(umask, expires, rlogin...)

-------------6. /etc/motd:
The login program sets the current directory to the user's HOME directory and displays the content of /etc/motd , date of the last successful
login, and the number of unsuccessful login attempts since the last successful login.
(if .hushlogin file is found in the HOME directory these infos will not be displayed)
-------------7. shell:
Finally, control is passed to the login shell (as defined in /etc/passwd) which will read /etc/environment and run /etc/profile and
$HOME/.profile and $HOME/.kshrc (when using Korn shell).
-------------When a user logs out, the shell terminates and a new getty process is spawned for that port.
-------------Files used for user/environment customization (in login sequence):
1. /etc/environment
2. /etc/profile
3. $HOME/.profile
4. $HOME/.kshrc

<--contains variables specifying the basic environment for all processes ( PATH, TZ, LANG...)
<-- sets other system-wide default variables (TERM...)
<-- lets you customize your individual working environment (PATH, ENV, PS1...)
<--if it is used, user can customize his personal Korn shell environment (set -o vi, alias...)

-------------USER LOGIN RELATED FILES


/etc/motd
/etc/utmp
/var/adm/wtmp
/var/adm/sulog
/etc/environment
/etc/profile

contains the message to be displayed every time a user logs in to the system.
contains the record of users logged into the system. (who /etc/utmp)
records the logins to the system. (who /var/adm/wtmp)
records information about su - username
sets base environment variables for all processes (PATH, TZ, LANG...) (don't put commands there, only root)
specifies additional environment settings for all users. (TERM...) (only root)

/etc/security/login.cfg
/etc/security/lastlog
/etc/security/failedlogin
/etc/security/environ
/etc/security/limits
/etc/security/user

contains configuration information for login and user authentication.


contains the last login attributes for users
records all failed login attempts. (who /etc/security/failedlogin)
defines the environment attributes for users (it is not used too much by users)
defines process resource limits for users (fsize, rss, nofiles...)
contains the most important settings, outside of the basics in /etc/passwd(umask, expires, rlogin...)

$HOME/.profile

specifies user specific settings (user can overwrite settings from /etc/environment and /etc/profile)
($HOME/profile contains ENV=$HOME/.kshrc)
user can customize his Korn shell environment (set -o vi, alias...) (it will be run when opening new shell)

$HOME/.kshrc
--------------

unsuccessful login count reset:


If a user's unsuccessful login count reaches a max value (loginretries=<value>), the user is not enabled to login into the system.
3004-303 There have been too many unsuccessful login attempts; please see
the system administrator.

1. check unsuccessful login count:


root@bb_lpar: / # lsuser -f bb
loginretries=3
pwdwarntime=0
account_locked=false
unsuccessful_login_count=5

<--shows max failed login retries, it is contained in /etc/security/user

<--it is higher than the max value

http://aix4admins.blogspot.com/2012/06/user-login-process-login-process.html

2/4

2/17/2014

AIX for System Administrators

2. reset the login count:


root@bb_lpar: / # chuser unsuccessful_login_count=0 <user>

<--it will reset to 0 the number of unsuccessful login count

-------------locked account reset:


It is possible, that an administrator disables a user to use the system temporary by locking it account.
3004-301 Your account has been locked; please see the system administrator.
1. check user account setting:
root@bb_lpar: / # lsuser -f bb
account_locked=true
minage=0
maxage=0
2. unlock the account:
root@bb_lpar: / # chuser account_locked=false bb

<--it will show if account is locked

<--it will remove lock from the account

-------------user max concurrent logins are too high


Maximum concurrent sessions of a user can be limited in /etc/security/user, by maxulogs entry.
If it is not limited, in the file there are no maxulogs entry and lsuser won't show anything, it can be checked only if it is set to a value.
Maximum number of login sessions exceeded for user <user>
1. check maxulogs entry of the user
root@bb_lpar: / # lsuser -f bb
pwdchecks=
dictionlist=
maxulogs=3

2. change to a higher value (0 means unlimited)


root@bb_lpar: / # chuser maxulogs=0 <user>

<--it will show maximum concurrent allowed login sessions of a user


(this vallue can be checked in /etc/security/user as well)

<--it will change to unlimited

7 comments:
Rajesh Mohan April 5, 2013 at 6:15 PM
is it possible to restrict the number of users can login to an aix server concurrently??? how to check & change?
Reply
Replies
aix

April 5, 2013 at 8:55 PM

Hi, in /etc/security/login.cfg there is an attribute: maxlogins


"maxlogins: Defines the maximum number of simultaneous logins to the system. The format is a decimal integer string. The
default value varies depending on the specific machine license. A value of 0 indicates no limit on simultaneous login
attempts."
Hope this helps,
Balazs
Reply

abbas August 5, 2013 at 11:23 AM


Hi Aix, Could you please explain about /etc/security/login.cfg and /etc/inittab processes,means how the process will getting to
login.cfg to inittab
Thanks
Abbas
Reply

Senthil August 6, 2013 at 3:27 PM


How do I find, who accessed my AIX system using sftp connection?
Reply

sakhan October 8, 2013 at 1:07 PM


Hi,
You can use "last -X" to get the detail of users and the sessions they used e.g ftp, and output will be like below:
root ftp 10.0.0.0 Sep 25 14:55 - 14:56 (00:01)
Reply

Anonymous October 11, 2013 at 8:00 PM

http://aix4admins.blogspot.com/2012/06/user-login-process-login-process.html

3/4

2/17/2014

AIX for System Administrators


Hi,
we are testing something on the application (AIX OS) by putting some load of 300 virtual users. I would like to know, is there any limit
on number of user sessions active on AIX at a time ?
i believe we've value maxlogins = 32767 in /etc/security/login.cfg.
so am thinking that, there is no limit (32767) on user sessions. is this right ?
Reply

Oscar Alvarez January 23, 2014 at 9:55 AM


That's the total logins, but you may want to limit max logins for a concrete user by modifying it's maxulogs user propertie.
Reply

Enter your comment...

Comment as:

Publish

Google Account

Preview

Newer Post

Home

Older Post

Subscribe to: Post Comments (Atom)

Template images by Storman. Powered by Blogger.

http://aix4admins.blogspot.com/2012/06/user-login-process-login-process.html

4/4