Define User Authority to Use Terminals
One of the most effective ways to block intruders from accessing the system is by terminal protection, which is the source of the login. The source can be the host or the terminal (such as an X terminal or a console) from which the user logs in.
capamsc141
One of the most effective ways to block intruders from accessing the system is by terminal protection, which is the source of the login. The source can be the host or the terminal (such as an X terminal or a console) from which the user logs in.
In modern architecture, a terminal is no longer the teletype device UNIX was developed for. On most sites, a pseudo terminal is allocated through the pseudo terminal server (PTS) or by the X window manager. The name of the terminal is a meaningless symbol for the security system.
PAM Server Control
protects what we understand as a terminal. The product implements terminal protection during the login stage, when the product defines a terminal in one of three ways:- When the user logs in from an X terminal using the XDM login window,PAM Server Controltakes the IP address of the X terminal that is translated to host name (from /etc/hosts, NIS, or DNS) to be the terminal that is used for the login request. The product can also protect using the IP addresses if the translation to the host name fails or if you prefer to use IP addresses.
- When the user logs in from a dumb terminal, the TTY name identifies the terminal.
- When the user logs in from the network (through Telnet, rlogin, rsh, and so on), the requesting IP address that is translated to the host name (through /etc/hosts, NIS, or DNS) is taken to be the terminal name.
You can define login rules for a specific host by defining this host in the TERMINAL class. Add the appropriate users and groups to the access list of the object. For each login source, you can also limit the days and hours in which log in from this host or terminal is allowed. To do this, set the day and time restrictions for the TERMINAL object. Use wildcards in the TERMINAL class to define hosts that match a pattern (host name or IP address).
Usually, highly authorized users such as the superuser or system administrators are restricted to terminals that are located in secure places. Intruders and hackers who want to enter the system as superuser are not able to do it from their own remote stations. They have to work from one of the authorized terminals, which should be in a secured location.
When logging in from the network, you cannot be certain that the user is indeed sitting in front of the host console. The user could be sitting in front of any terminal that is attached to that host or communicating from any other node in the network authorized to receive services from the requesting host. Permitting a user to log in from another host implies that we permit login to that user not only from that specific station but also from any other terminal authorized by that station. To ensure isolation between departments, define terminal groups. Allow users of each department to work only from the terminal group of their department.
Unlike other resources, in terminal authorizations the more the user is authorized to access information, the lower the terminal authorization of the user should be. The superuser must be the most restricted user in terminal access. This restriction ensures that nobody can log in as root from remote unsafe terminals.
When defining terminals,
PAM Server Control
requires you to specify the owner of the terminal definition explicitly. The reason is that if the root user, as the security administrator, becomes the owner of the terminal by default, it makes the terminal eligible for superuser login. In most cases, this is not wanted. To prevent such mistakes that might unintentionally cause loopholes, PAM Server Control
makes you define an owner when defining the terminal.To define the terminal tty34, use the following command:
newres TERMINAL tty34 defaccess(none) owner(userA)
This command creates a record for the terminal tty34, sets its default access to NONE, and defines userA as its owner. userA, as the owner of the terminal, is automatically allowed to enter the system through terminal tty34.
To prevent all users from logging in from the terminal tty34, specify nobody as the owner:
newres TERMINAL tty34 defaccess(none) owner(nobody)
To permit a user to log in from a particular terminal, enter the following command:
authorize TERMINAL tty34 uid(USR1)
This command permits USR1 to log in from terminal tty34.
Permission to use a terminal can also be granted to a group. For example, the following command permits members of the group DEPT1 to use the terminal tty34:
authorize TERMINAL tty34 gid(DEPT1)
To define a group of terminals (known as a terminal group), enter the following command:
newres GTERMINAL TERM.DEPT1 owner(ADM1)
To add member terminals to the terminal group TERM.DEPT1, enter the following command:
chres GTERMINAL TERM.DEPT1 mem(tty34, tty35)
To authorize USR1 to use this terminal group, enter the following command:
authorize GTERMINAL TERM.DEPT1 uid(USR1)
This grants USR1 the authority to use both tty34 and tty35.