Solaris Security Question...A cause of Concern !
 

Ok, at our work, we have to logon to a E25K Sun Fire server running Solaris 10 from our Windows workstations using an emulator.

Now, we also have an OpenVMS server that we connect to and its pretty much secure because it does not allow us to login with several user IDs. Only one user ID at a time.

For example:

Most of the time, many of my users forget their passwords and what they do, is that they borrow someone elses user ID and password until the UNIX admins reset it....Now, the UNIX server, allows that user that got the other employees user ID and password to logon...

As for OpenVMS....when trying to logon with somenone elses user ID, the server says...ANOTHER USER IS LOGGED ON ALREADY...and the session terminates from the server...

UNIX, does NOT even do that, and I think its a security concern.

So I do have to ask a UNIX security expert out here, that how can I make a Solaris server to only limit ONE USER ID at a time to logon so when an employee tends to ask another employees ID and password, I DO NOT want that person to logon using another employees password???

So how can I make my Solaris server here at home to only limit ONE user ID to logon?

Ummm, as far as I'm aware, Unix has never limited users to one login per user. It's never been seen as a security risk either - if someone else has your password, then all they'd have to do is wait until you log out, so not much protection there. It's also a serious pain in the ass if your xterm falls over and leaves you logged into a remote machine.

If you really wanted to implement this yourself (I run a production host that does this, but for licensing reasons with a 3rd party application), you could put a check in users' .profile to see if there's already a login running for that user, and exit if so. Don't forget to 'chown root .profile; chmod 700 .profile', though.

I'd advise against it, though. You don't gain any measurable security and you could leave yourself locked out from a machine.

Dave

It's a 5 second job to implement limit on number of user logins on Linux:

In /etc/security/limits.conf add the following line:
Where '*' is a wildcard - instead you can use a specific user name or a group name (with preceding @) i.e. @users.

Of course instead of 'maxlogins 1', which would limit to only one login you can use any other number.

But the above is on Linux - I have no idea about Solaris. I'd be surprised if it didn't provide a similar functionality. I have checked out OpenSolaris and yet couldn't find anything - OpenSolaris' documentation sucks big time.

I have been Googling this and found out the results below...I hope...

http://www.unix.com/sun-solaris/1920...-sessions.html

Yup, in the link you provided the solution in post 7 by zazzybob works fine.

Not very elegant though.

This is the real security issue you have: users forgetting their password and borrowing other people ones instead of using a self service solution to reset them.

What I would do is to centralize the users credentials in a single repository (ldap server) and/or have an identity management solution synchronizing the Windows and Unix passwords.