ttys(4)ttys(4)NAMEttys - Terminal control database file (Enhanced Security)
DESCRIPTION
Notes
The secure terminal database file, /etc/securettys, controls root
logins for all security levels. The file is described in the securet‐
tys(4) reference page.
By default, the enhanced security terminal control information is
stored in database format (ttys.db). The information was formerly
stored in the ttys file and is converted to database format in an
update installation. The convauth utility converts an existing ttys
file to database format.
The enhanced security terminal control database (ttys.db) contains an
entry for each terminal or X displayname that can be used for logging
in. It supports wildcarding of the entire terminal name or displayname
only. Authentication programs use information in the terminal control
database to determine if a login is permitted on the specified termi‐
nal. Information from the device assignment database (/etc/auth/sys‐
tem/devassign) can also affect terminal login permissions. Successful
and unsuccessful login attempts on the terminal are optionally recorded
in the terminal control database, and the information can be used to
disable terminal logins when breakin attempts are suspected.
The /usr/tcb/bin/dxdevices GUI provides a way to create terminal con‐
trol database entries and to alter the system default values for the
fields. The edauth utility can also be used to display and modify ter‐
minal control database entries.
A terminal control database entry consists of keyword field identifiers
and values for those fields. If a necessary value is not specified in
an entry, a default value for the field is supplied from the system
default file (/etc/auth/system/default). For more information on the
field format, see authcap(4).
The following keyword field identifiers are supported: This field
defines the terminal device name for the entry. The system expects that
terminal devices are in the /dev directory and therefore this prefix
should not be specified. If the terminal entry describes the /dev/tty1
device, the t_devname field should contain tty1. This field is ignored
if it is set in a template or in the default database. This field con‐
tains the user ID of the last user who successfully logged in using the
terminal device. This field is ignored if it is set in a template or
in the default database. This field is a time_t value that records the
last successful login time to the terminal device. This field is
ignored if it is set in a template or in the default database. This
field contains the user ID of the last user who unsuccessfully
attempted to log in using the terminal device. This field is ignored if
it is set in a template or in the default database. This field is a
time_t value that records the last unsuccessful login time to the ter‐
minal device. This field is ignored if it is set in a template or in
the default database. This field contains the user ID of the user who
successfully logged in before the user identified in the t_uid field.
This represents the UID of the previous login session. This field is
ignored if it is set in a template or in the default database. This
field is a time_t value that contains the system time of last logout
associated with this terminal device. This value marks the end of the
previous login session associated with the user identified by t_pre‐
vuid. This field records the number of consecutive unsuccessful login
attempts to the terminal device. This field is ignored if it is set in
a template or in the default database. This field specifies the maxi‐
mum number of consecutive unsuccessful login attempts permitted using
the terminal before the terminal is locked. Once the terminal is
locked, it must be unlocked by an authorized administrator. This field
is a time_t value that identifies the login delay enforced by authenti‐
cation programs between unsuccessful login attempts. This field is
designed to slow the rate at which penetration attempts on a terminal
device can occur. This field indicates whether the terminal device has
been administratively locked. This field is manipulated by authorized
administrators only. This field specifies the time interval in seconds
after t_unsuctime to wait before ignoring t_failures. Zero means never
ignore t_failures. This field specifies the login time-out value in
seconds. If a login attempt is initiated by entering a user name at the
login prompt but successful authentication is not completed within the
time-out interval specified, the login attempt is aborted. This field
indicates that the entry is an X window display managed by xdm, rather
than a terminal device. This field is ignored if it is set in a tem‐
plate or in the default database.
EXAMPLES
The following example shows a typical terminal control database entry:
console:t_devname=console:
:t_uid=jdoe:t_logtime#675430072:
:t_unsucuid=jdoe:t_unsuctime#673610809:
:t_prevuid=root:t_prevtime#671376915:
:chkent:
This entry is for the system console device, /dev/console. The most
recent successful login session was for the user jdoe. The most recent
unsuccessful login attempt was also by user jdoe. Before the most
recent successful login session, the root account was used to log in to
the console. The entry records the system time for the current success‐
ful login, the end of the previous successful login session, and the
time of the most recent unsuccessful login attempt.
FILES
Specifies the pathname of the database.
SEE ALSO
Commands: login(1)
Functions: getprtcent(3)
Files: authcap(4), default(4), securettys(4)ttys(4)