JSP Web Hosting Blog

He could then add himself to the wheel group if he wanted. This is bad. You could disallow root logins on the console, but you might need them sometime. The existence of the wheel group does not mean that you can skip hiding your root password! If you have no users in the wheel group, then only the root account can get root access (without exploiting some sort of security hole, of course). If you forget to add your first account to the wheel group, you will need to log in to the console as root and make the necessary changes to /etc/group. If you’ve disabled root logins on the console, boot into single-user mode and make the changes. Page 147

Hint: This post is supported by Gama besplatan domen provider

The Root Password UNIX has an all-or-nothing concept of security. While the root user may do absolutely anything, other users may only do things root permits them to. This one fact has been responsible for a wide number of system intrusions. What’s more, this coarse-grained approach causes any number of problems for system administrators. While you can create groups and use them to handle permissions for a variety of files, groups don’t work well for sysadmin tasks. Only root can add users; only root can configure the network; only root can install system-wide software. Different people might handle these tasks separately. But they all need root privileges to do their work, so either you need to trust these people to stay out of each other’s way or you need to configure an add-on access control tool. Only give the root password to those users you trust. All other users should be given access to particular tasks via sudo(8). Using the Root Password The su(1) command allows one user to become another user, if you have that user’s password. I could use Chris’s password to access Chris’s account, just as if I was him. I could use Phil’s password to effectively become Phil. Or, I could use the root password to become root. Using su is very straightforward: Just type su, and the system will prompt you for a password. Enter the root password, and you will have a root shell! # su Password: # One thing to remember is that su gives you the shell of the user you’re switching to. You might not want to do that if you’re on a system with multiple administrators, someone will not like the shell assigned to root. Do not change OpenBSD’s root shell unless you know all the implications of doing so. Instead, use su’s -m flag to keep your current shell and environment variables. For example, while my preferred shell is tcsh, OpenBSD’s root shell is old-fashioned csh. If I use “su”, I will get a csh shell. If I use “su -m”, I will get my preferred tcsh shell. If you use “su -m”, make sure that your shell doesn’t contain any garbage that can confuse programs run as root. A nonstandard $PATH or $LD_LIBRARY_PATH environment variable combined with “su -m” can really interfere with your uptime. Who May Use the Root Password? Only users who are in the “wheel” group may use the root password. A user who is not in the wheel group cannot use the root password, even if he has the password. For example, suppose I get very lazy and write the root password on a sticky note and put it on my monitor. Phil wanders by, sees the password, and decides to give it a try from his account even though he isn’t in the wheel group. # su Password: you are not in group wheel Sorry # What’s more, his attempt will be logged in /var/log/authlog. Jul 1 16:10:15 openbsd su: BAD SU phil to root on /dev/ttyp1 As a responsible security administrator, I should be checking my authorization log daily looking for these things. These errors are mailed to root each day as part of the daily security check, so there really is no excuse for not reading them. Mind you, anyone who has this root password could walk up to the console and log in directly as root. Page 146
Note: If you are looking for reliable and quality webspace company to host and run your servlet application check Actions servlet hosting services

se with expl icit decl arat ions as we use in this sec tion . Inve stin g tim e in lear ning ter mc ap( 5) will enh anc e you r sys ad min skill s, but is bey ond our sco pe her e. Page 145
Note: If you are looking for reliable and quality webspace company to host and run your servlet application check Actions servlet hosting services

pow erful and flexi ble, and it can be conf usin g to the begi nne r enti re boo ks hav e bee n writt en abo ut it. The aut hen tica tion entr ies in the defa ult logi n clas ses use ter mc ap exp ansi ons , but you can easi ly repl ace tho Page 144
Note: If you are looking for best hosting provider to host and run your tomcat application check Astra tomcat hosting services

snk Use Digital Pathways SecureNet Key authentication (see login_snk(8)) token Use a generic X9.9 token authentication (see login_token(8) Using Authentication Methods Authentication methods are set by login.conf’s auth variable, with a commaseparated list. :auth=skey,passwd: One interesting thing is the ability to specify different authentication methods based on the service the user is connecting to. You can specify a “service name” after the “auth” keyword, to state that a set of authentication methods only applies to that particular service. For example, to allow only password authentication for FTP, you could use this: :auth-ftp=passwd: Here are a few of the commonly used authentication services: auth Default used for all login requests that have no specific service attached auth-ftp FTP auth-ssh SSH auth-su su(1) authentication For example, you could allow a user to log in with either their local password or S/Key, but if they want to use su(1) to become root, they must authenticate with S/Key. Here’s a snippet from login.conf implementing that: :auth=passwd,skey: :auth-su=skey: Not The e defa ult /etc /logi n.c onf use s ter mc ap( 5) for mat . Ter mc ap is Page 143
Note: If you are looking for best hosting provider to host and run your tomcat application check Astra tomcat hosting services

passwordcheck This gives the full path to an external program that will validate new passwords for quality. OpenBSD expects to pass the password to the program on standard input. The program is expected to return a 0 if the password is adequate or a 1 if the password is inadequate. passwordtime This is the lifetime of a password and can be used to enforce regular password changes. minpasswordlen This is the minimum length of a password. Authentication Methods You can also choose valid authentication methods in /etc/login.conf. OpenBSD uses “BSD Authentication,” which works in a different manner than the popular Pluggable Authentication Modules used in quite a few open-source operating systems. You just identify the authentication method you want in /etc/login.conf, and OpenBSD will attempt to authenticate users by that method. It couldn’t be easier than that! Merely setting an authentication mechanism does not configure the authentication method it merely tells the system to use that authentication method. For example, telling OpenBSD to authenticate a certain class of users via Kerberos V doesn’t magically set up a Kerberos domain. Accounts who use a particular authentication method will be locked out if that authentication mechanism is unavailable. Some authentication methods are simply not compatible with some protocols, so not all authentication methods work with all programs that provide logins. For example, while SSH works with cryptocards, it doesn’t work with the password-changing “lchpass” authentication method. You need to check the man page for each authentication method for bugs and test unusual combinations. Some of these authentication methods require additional login.conf variables, which are described in the manual page for that authentication method. For example, if you want to use Radius authentication, you need to tell login.conf where to find your Radius server. The manual page that describes the necessary configuration is given in the following table of common authentication methods. Here are the actual authentication methods supported by OpenBSD’s BSD Authentication. krb4-or-pwd Try Kerberos IV, then the local password file (see kerberos(1)) krb5-or-pwd Try Kerberos V, then the local password file (see kerberos(1)) passwd Use the local password file krb4 Use Kerberos IV (see kerberos(1)) krb5 Use Kerberos V (see kerberos(1)) chpass Do not log the user in, but instead change their Kerberos password or their local password if Kerberos is unavailable (see login_chpass(8)) lchpass Do not log the user in, but instead change their local password (see login_lchpass(8)) radius Use Radius authentication (see login_radius(8)) skey Use S/Key (see skey(1)) activ Use ActivCard X9.9 token-based authentication (see login_activ(8)) Page 142

Hint: This post is supported by Gama besplatan domen provider

You can also specify default environment settings in /etc/login.conf. This can be better than setting them in a user’s default .cshrc or .profile, as these settings affect all user accounts immediately upon each user’s next login. Here are some common environment settings. hushlogin If present, no system information is given out during the initial login ignorenologin If present, the user can log in even when /etc/nologin exists nologin If present, the user cannot login path The default search path for programs priority The default process priority, or niceness requirehome If present, the user must have a valid home directory to log in setenv A list of default environment variables shell The shell given to the user; overrides the one in /etc/passwd term The default terminal type, if nothing else tries to set a terminal type umask The default umask welcome The file containing a message displayed to the user upon login FTP Options You can “chroot” FTP users to their home directory via the text file /etc/ftpchroot, but if you have a lot of FTP-only users you’ll be better off using a login class to contain them. It is far more maintainable in the long run. Here are the FTP-affecting login.conf variables: ftpchroot If present, a FTP user is automatically chrooted into their login directory (by default, their home directory) ftp-dir The full path to a login directory for FTP users, to give several FTP users a common directory If you chroot FTP users it’s a good idea to tell them so with a “welcome” message (as described under “Default Environment Settings”). Controlling Password and Login Options You can control various password operations in /etc/login.conf. Unlike the environment setup, many of these can only be set in this file. OpenBSD also includes some very extensive methods to control how authentication works: see Authentication. Here are some common options for boring password authentication. localcipher This controls the password encryption method. This defaults to blowfish hashing, but you could set this to “old” for compatibility with the 56-bit DES hashes used in many older versions of UNIX. login-backoff This controls how quickly a user can try to log in. After this many login attempts, the login program starts to slow down how often it offers a login prompt. Page 141

Hint: This post is supported by Gama besplatan domen provider

Some variables, of course, require particular sorts of values. A path to the home directory must be a full path, while the amount of memory the user may use cannot be a full path. In most cases, the legitimate answers are fairly obvious. Note On many BSD systems, you must use cap_mkdb(8) to build a database file containing the values in /etc/login.conf for the changes to take effect. This is not necessary in OpenBSD; programs can parse /etc/login.conf directly. If you run cap_mkdb(8) on /etc/login.conf once, however, you must either continue to use it thereafter or remove the database file. OpenBSD’s default /etc/login.conf contains a few different classes of users. If you want an idea of what sort of restrictions to put on users for various situations, check that file. Here, we’re just going to discuss some of the commonly changed items. Resource Limits Resource limits allow you to control how much of the system any one user can tie up at one time. If you have several hundred users logged in to one machine, and one of those users decides to compile 30MB of source code, that person can consume far more than his fair share of processor time and memory. By limiting the resources that one user can monopolize at one time, you can make the system more responsive for less needy users. You can also give different login classes different resource limits. Resource limits are frequently tied to each process. If you allow each process to use up to 20MB of RAM, and you allow each user to start 20 processes, one user could theoretically consume up to 400MB of memory. Here are several popular resource-limiting login.conf variables. coredumpsize The maximum size of any core dump cputime The maximum CPU time any process may use datasize The maximum memory size of data that can be consumed by one process filesize The maximum size of any file stacksize The maximum amount of memory on the stack usable by a process memoryuse The maximum amount of memory a process can lock maxproc The maximum number of processes the user can have running openfiles The maximum number of open files per process Current and Maximum Resource Limits The login.conf mechanism supports both advisory (or current) and maximum resource limits. Current limits (-cur) are generally advisory, and the user can override them at will. This works well on a cooperative system, where multiple users willingly share resources. Maximum limits (-max) are absolutes, and the user cannot exceed them. To specify a current limit, add -cur to the limit name. To make a hard limit, add -max. For example, to limit the number of processes a user can have to 60, but give them a warning when they’ve used up half the maximum, you could do this: :maxproc-cur=30: :maxproc-max=60: If you don’t specify either -cur or -max, limits are hard limits and cannot be exceeded by the user. Default Environment Setting Page 140
Note: If you are looking for cheap and quality provider to host and run your java application check Astra java hosting services

User Classes Each OpenBSD user has a login class that defines limits on that user’s access to system resources, how their environment behaves, and how users in that class authenticate. When you change the characteristics of a class, those limits affect all users in the class. All login classes are defined in /etc/login.conf. You can change a user’s class by running “chpass username” as root. Just put the class name in the “class” space provided, as shown in “Editing Users.” The Default Login Class Whenever you create an account with adduser(8), that user is automatically assigned to the “default” class. The simplest way to manage login classes is to have the default class be the most commonly used class on your system. If your computer is an email server with a handful of administrators and several hundred mail users, set up the default class appropriately for the common case the mail users. You can manually change the administrator’s classes to a more appropriate one more easily than you can edit all those hundreds of users. Class Definitions Each class definition consists of a series of variable assignments. When a user logs in, login(1) uses these variables to establish the user’s resource limits and environment setup. Each entry in the class definition begins and ends with a colon, although technically, each entry is all one line. The backslash character is a continuation marker, indicating that the computer should ignore the line break. Humans don’t like 500 character lines of text, after all! The standard /etc/login.conf starts with the “default” class. This gives the average user fairly broad access to the system. If you’re running a modern system with gigabytes of RAM, you might find them too restrictive. If your OpenBSD box is a Pentium 166, however, these settings will basically give every user unlimited access to all system resources. If users consuming resources is a serious concern, you might well want to edit these settings. Here’s a sample of the beginning of a login class. default: :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin: :umask=022: :datasize-max=256M: … There are many more variables in a login class, but this should be enough to give you the idea. You can completely change a user’s experience by assigning him to the class that configures his login environment as you desire. Some login.conf variables don’t have a value; they change account behavior just by their presence. For example, the “requirehome” variable just needs to be in the class definition to have effect. :requirehome: Legal Values for /etc/login.conf Variables You can give any of the following values to a login.conf variable assignment. . Afull path to a text file. . A comma-separated list of values. . A number. . A space-separated list of path names. If a ~ is the first character in a path name, the ~ is replaced by that particular user’s home directory. . A full path to a program. . A size, either in bytes (default), kilobytes (k), or megabytes (m). . A time, in seconds (default), minutes (m), hours (h), days (d), weeks (w), or years (y). Page 139
Note: If you are looking for cheap and quality provider to host and run your java application check Astra java hosting services

example. The 3 third field holds the group’s unique numeric ID (gid). Many programs use the GID, rather than names, to identify groups. The “wheel” group has a gid of 0. Last is a 4 comma-delimited list of all the users in that group. The users root, mwlucas, and chris are members of the group wheel. Primary Group When you create a new user the system creates a group that contains just that user, and it has the same name as the user. This is the user’s “primary group.” A user is automatically a member of his or her primary group, as listed in /etc/passwd. Some programs can be configured to treat users differently based on their primary group, rather than just general group membership. Changing Group Memberships If you want to add a user to a group, all you need to do is add their username to the end of the line for that group. For example, if I wanted to add “phil” to the “wheel” group, I would add “,phil” to the wheel group description. [3] wheel:*:0:root,mwlucas,chris,phil Creating Groups To create a new group, all you need is a name for the group and a group ID number. Technically, you don’t even need a member for the group; some programs run as a member of a group, and the system uses the group permissions to control those programs just as users are controlled. Traditionally, their group ID lists groups in order. The gid is an arbitrary number between 0 and 32,767. Generally speaking, group IDs below 1,000 are reserved for system administrator use. Programs that need a dedicated group ID usually use one in this range. User accounts have group IDs starting at 1,000 and going up. Some special groups start numbering at 32,767 and go down. You can use any gid you want, but adhering to the standards will make life easier on your coworkers and successors. So, let’s add a group. This sample group is for a database program, so I’m going to call it “db.” I’m arbitrarily adding this custom group with a gid of 5,000, and will start numbering these custom groups from there. I’ll add our database administrator, phil, to this group. db:*:5000:phil That’s it! [3]Mind you, Phil would have to drug me into complete insensibility before I would add him to wheel. But that’s an administrative decision, not a technical one. Page 138
Note: If you are looking for best quality webspace to host and run your tomcat application check Vision tomcat hosting services