security.4 (2012 03)
s
security(4) security(4)
DISPLAY_LAST_LOGIN
This attribute controls whether a successful login displays the date, time and origin
of the last successful login and the last authentication failure. Times are displayed
using the system’s time zone. See the discussion of time zones in the Notes section.
This attribute does not apply to trusted systems. This attribute is supported for
users in all name server switch repositories, such as local, NIS and LDAP. This
attribute is enforced in the
pam_hpsec service module, and requires that the
pam_hpsec module be configured in /etc/pam.conf
. See pam_hpsec (5). The
system-wide default defined here may be overridden by defining a per-user value in
/var/adm/userdb
(described in userdb (4)).
DISPLAY_LAST_LOGIN=0
Information is not displayed.
DISPLAY_LAST_LOGIN=1
Information is displayed.
Default value:
DISPLAY_LAST_LOGIN=1
INACTIVITY_MAXDAYS
This attribute controls whether an account is locked if there have been no logins to
the account for a specified time interval. It does not apply to trusted systems. This
attribute is supported only for non-root users managed by pam_unix (described in
pam_unix (5)); this typically includes local and NIS users. On a system in standard
or shadow mode, it also applies to root if LOGIN_POLICY_STRICT=1
. In most
cases this attribute can be enforced only as a system-wide default, however, for local
users on a shadow password system, the system-wide default defined here in
/etc/default/security
may be overridden by defining a per-user value in
the
inactivity field of /etc/shadow with either one of these commands:
useradd -f inactive_maxdays
usermod -f inactive_maxdays
When an account has been locked due to this feature, root can unlock the account
by this command:
userdbset -d -u username login_time
INACTIVITY_MAXDAYS=0
Inactive accounts are not expired.
INACTIVITY_MAXDAYS=
N Inactive accounts are expired if there have been no
logins to the account for at least N days. N can be any positive integer.
Default value:
INACTIVITY_MAXDAYS=0
LOGIN_POLICY_STRICT
This attribute imposes restrictions on root login and authentication. These are res-
trictions which already apply to normal users.
LOGIN_POLICY_STRICT=0
User root is not subject to login restrictions.
LOGIN_POLICY_STRICT=1 Authentication of user root is subject to the follow-
ing:
• Enforce
ALLOW_NULL_PASSWORD (does not allow root login with a null pass-
word).
• Enforce
INACTIVITY_MAXDAYS (does not allow login for a stale root account).
The
LOGIN_POLICY_STRICT attribute is only valid if the libpam_unix patch
PHCO_40838 or later is installed.
Default value:
LOGIN_POLICY_STRICT=0
LOGIN_TIMES
This attribute restricts logins to specific time periods. Login time restrictions are
based on the system’s time zone. See the discussion of time zones in the Notes sec-
tion. This attribute does not apply to trusted systems. This attribute is supported
for users in all name server switch repositories, such as local, NIS and LDAP. This
attribute is enforced in the pam_hpsec service module, and requires that the
pam_hpsec module be configured in /etc/pam.conf. See pam_hpsec (5). Other
PAM service modules in your configuration may enforce additional restrictions. The
system-wide default defined here may be overridden by defining a per-user value in
HP-UX 11i Version 3: March 2012 − 3 − Hewlett-Packard Company 3