authsh(ADM)

Syntax

Description

The functions supported by the main level menu are:

User

This category of screen interfaces is provided for the setup and maintenance of user accounts and user account passwords. The screens are used to add, update, display, and delete user accounts from the system. Also, modifications to user account passwords or modifications to the various criteria controlling the generation of account passwords is accomplished using this menu option.

Defaults

These options are provided for the maintenance of system-wide parameters like default privileges, password expiration, password lifetime, single-user password requirement, restrictive password generation, and the delay time between login attempts. These parameters apply on a global system basis rather than a user account basis.

Terminal

The terminal database interface screens are used for the maintenance of the database entries to support the addition, deletion, and update of terminal information. Additionally, this category includes the necessary screens for setting and clearing locks on specific terminals.

Report

This category provides the administrator with a method of generating various reports on system activity. Report types include password database, terminal database, and login activity reports.

Check

This option provides the administrator with a consistency check on databases (protected password, terminal control database, and subsystem database) and the password file (/etc/passwd). The password check returns system account warning messages. This option is not normally used.

/etc/default/authsh fields

LOGIN_GROUP

Name of default login group. Must exist in /etc/group.

OTHER_GROUPS

List of groups the user is to be a member of. Each group listed must exist in /etc/group. The LOGIN_GROUP does not need to be included in this list. The groups in the list may be separated by commas (,) or spaces.

SHELL

Name of default login shell, either the name of a shell defined in /usr/lib/mkuser, or the full pathname of an executable file. Note that the empty name is legal but is not equivalent to either sh or /bin/sh.

HOME_DIR

Default absolute pathname of parent directory of user's home directory. The home directory itself has the same name as the user. This parent directory must be r/w/x by group auth.

HOME_MODE

Default permissions for the user's home directory. Note that both HOME_DIR and HOME_MODE default settings can be overridden on a shell-specific and/or path-specific basis.

USER_TYPE

Default type of user:

Individual -- individual's personal account, used by one person, and one person only.
Operator, Administrator, Security Officer -- various classifications of accounts potentially used by more than one individual.
Pseudo-user -- anonymous account never directly used by a user.

All user types except Individual must have an associated account which is allowed to su(C) to the user.

UID

MIN_ADMIN_UID to MAX_ADMIN_UID, inclusive: UID values the administrator may choose.

MIN_SUGGEST_UID to MAX_SUGGEST_UID, inclusive: UID values the system may suggest.

Note that UIDs less than 200 are reserved and should not be used.

GID

Similar to UID ranges.

Note that GIDs less than 100 are reserved and should not be used.

MIN_USER_NAME

Minimum length of an acceptable user name (default: 3 characters).

MAX_USER_NAME

Maximum acceptable length of a user name (maximum of 8 characters).

MIN_GROUP_NAME

Minimum length for a group name (default: 3 characters).

MAX_GROUP_NAME

Maximum length for a group name (default: 8 characters).

Limitations

Files

/tcb/files/auth/[a-z]

/etc/auth/subsystems/

/etc/auth/system/

See also

``Maintaining system security'' in the System Administration Guide

Standards conformance