 |
Index for
Section 4 |
|
 |
Alphabetical
listing for D |
|
 |
Bottom of
page |
|
default(4)
NAME
default - System default database file (Enhanced Security)
DESCRIPTION
The system default database is unique in that it defines system-wide global
values. It is designed to provide values for users and devices at a global
level so that an administrator is not required to replicate values in user
or device databases when they are all the same. In addition to being easier
to specify global values, it is also much easier to make a global system
change if necessary.
The system default database contains four types of values:
system-wide
System-wide values that do not have corresponding specifications in any
other system database. If a system-wide value is not specified in the
default database, then it is undefined.
user
User values, which are typically specified in a protected password
database file.
terminal
Terminal control values, which are typically specified in the terminal
control, database file.
device assignment
Device assignment values, which are typically specified in the device
assignment database file.
The field names for each value type begin with an identifying prefix. The
following list of prefixes also lists the reference page that explains the
associated database:
d_ Defaults database field. (this reference page)
t_ Terminal control database field. (ttys(4))
u_ Protected password database field. (prpasswd(4))
v_ Device assignment database field. (devassign(4))
System default parameters can be specified for fields found in the
protected password, terminal control, and device assignment databases. When
a specific entry is retrieved from one of these databases, a structure
called ufld that contains all of the explicitly specified values is
provided to the caller. A second structure, called sfld, is also provided;
it defines those values supplied from the system default database.
Each of these structures has a corresponding flag structure called uflg and
sflg respectively that indicates which fields in each structure have been
specified and are valid for use. Programs honor the user-specific or
device-specific value if one is provided. Otherwise, programs use the
system default value if one has been specified. If neither value is
specified, the program may supply a reasonable default value or abort.
The following fields are defined only in the defaults database:
d_pw_expire_warning
This field contains the value, measured in seconds, used to control
whether a password expiration warning is given at login time. If the
password expiration time contained in the user's protected password
database file falls within this time interval (measured from the
current system time), a warning is given.
d_pw_site_callout
This field is a string that specifies the full path name of the program
or script to call for site-specific security policy conformance
decisions.
d_name
This field contains the name which is set by default to the string
default.
d_boot_authenticate
This flag field is not currently used.
d_audit_enable
This flag is for MLS+ compatibility only. It's ignored in Tru64 UNIX
Version 5.1B.
d_secclass
This field is an ASCII identifier of the security class supported by
the system and is used for informational purposes only. The choices
include a1, b1, b2, b3, c1, c2, and d.
d_admin_preexpire_psw
A boolean expression indicating that the password set by the
administrator should be set to expire immediately. This flag controls
whether auto-migration requires a password change at the time it
creates the account, or whether it assumes the password was set at the
present time. It also controls the forced-expiration-required action
of dxchpwd when an administrator changes a user's password.
d_skip_ttys_updates
A boolean expression indicating that the ttys database is not updated
during logins. This flag (if set in the system defaults database)
causes login attempts (successful or not) to skip updating the ttys
database. This speeds up logins at the expense of not doing break-in
evasion.
d_auto_migrate_users
A boolean expression that causes a new extended profile to be created
if no extended profile exists, but there is a valid base profile. If
this flag (in the system defaults database) is set, and a user attempts
to log in with no extended profile, but the user does have a legitimate
BSD-style profile, an extended profile is created for that user (all
defaults, except where specific information is required, like username
and UID).
d_max_vacation_future
A numeric value is seconds indicating how far into the future a user-
initiated vacation can be scheduled. If either d_max_vacation_future or
d_max_vacation_duration is zero, no user-initiated use of the
vacationing feature is possible. This field (in the system defaults
database) are zero (implicitly) as shipped.
d_max_vacation_duration
A numeric value is seconds indicating how long a user-initiated
scheduled vacation can last. If either d_max_vacation_future or
d_max_vacation_duration is zero, no user-initiated use of the
vacationing feature is possible. This field (in the system defaults
database) are zero (implicitly) as shipped.
d_accept_alternate_vouching
A boolean expression that SIA vouching is accepted from other
authentication mechanisms. If this field is set (in the system defaults
database), then other C2 mechanisms will not demand a password of their
own, if another preceding SIA mechanism has already validated the user.
(This is in support of mixing DCE+C2.) This does mean that the C2
password controls do not mean much (if anything) when DCE is up and in
use, but is under admin control, and defaults off. It can also be
desirable to set this if using S/Key or smartcard support.
EXAMPLES
The following example is a typical system default database:
default:\
:d_name=default:\
:d_secclass=c2:\
:d_boot_authenticate@:\
:d_audit_enable@:\
:d_pw_expire_warning#3456000:\
:u_pwd=*:\
:u_minchg#0:u_maxlen#10:u_exp#15724800:u_life#31449600:\
:u_pickpw:u_genpwd:u_restrict@:u_nullpw@:\
:u_genchars:u_genletters:\
:u_maxtries#5:u_lock:\
:t_logdelay#2:t_maxtries#10:\
:chkent:
FILES
/etc/auth/system/default
Specifies the pathname of the file.
SEE ALSO
Functions: getprdfent(3)
Files: authcap(4), devassign(4), prpasswd(4), ttys(4)
|
Index for
Section 4 |
|
|
Alphabetical
listing for D |
|
 |
Top of
page |
|