6. Execs the login program.
The steps that are relevant to the identification and authorization subsystem are step 5, which prompts for the
user’s login name, and step 6, which executes the login program. The administrator can also use a
command-line option to terminate the program if a user name is not entered within a specific amount of time.
5.11.3.2 gpasswd
The gpasswd program administers the /etc/group and /etc/gshadow files. gpasswd allows
system administrators to designate group administrators for a particular group. Refer to the gpasswd man
page for more detailed information. Group passwords are not used on the TOE.
5.11.3.3 login
The login program is used to authenticate a user signs to the TOE. If root is trying to log in, the program
makes sure that the login attempt is being made from a secure terminal listed in /etc/securetty. login
prompts for the password and turns off the terminal echo in order to prevent displaying the password as it is
being typed by the user. login then verifies the password for the account. If an initial password is not set
for a newly created account, the user is not allowed to log in to that account. Unsuccessful login attempts are
tallied, and access is denied, if the number of failed attempts exceeds the number specified as argument to the
pam_tally.so module (deny=5). Once the password is successfully verified, various password aging
restrictions, which are set up in /etc/login.defs, are checked. If the password has expired, the login
program requests the user to change his or her password. If the password age is satisfactory, the program sets
the user ID and group ID of the process, changes the current directory to the user’s home directory, and
executes the shell specified in the /etc/passwd file. Refer to the login man page for more detailed
information. Login generally follows these steps:
1. Sets language.
2. Parses command-line options.
3. Checks the tty name.
4. Sets the process group ID.
5. Gets control of the tty by killing processes left on this tty.
6. Calls pam_start() to initialize PAM data structures, including hostname and tty.
7. If a password is required and a username is not yet set, it prompts for a user name.
8. It calls pam_authenticate() in a loop to cycle through all configured methods. Audit records
are created with the success and failure result of each configured authentication method.
9. If failed attempts exceed the maximum allowed, it exits.
10. Performs account management by calling pam_acct_mgmt().
11. Sets up supplementary group list.
12. Updates the utmp and wtmp files.
13. Changes ownership of the tty to the login user. When the user logs off, the ownership of the tty
reverts back to root.
14. Changes the access mode of the tty.
15. Sets the primary group ID.
16. Sets environment variables.
177