Security
cancel
Showing results for 
Search instead for 
Did you mean: 

enhanced security disable dlogin?

SOLVED
Go to solution
Qing Zhu
Advisor

enhanced security disable dlogin?

Hi,
The decnet login utility (dlogin) does not work anymore after I changed security mode from base to enhanced. (OS: 5.1B-1, decnet-plus for 5.0A). The message is "dlogin,
Remote node says node unreachable" when 'dlogin' to a node with enhanced security.

Anyone knows why and how to make it both working?

Thanks,
Qing
4 REPLIES
Ann Majeske
Honored Contributor
Solution

Re: enhanced security disable dlogin?

Hi,

I don't know anything about decnet, but I found this in an old internal conference. It came from the DECnet release notes of that time (1997).

Ann

2.1 Using DECnet with Enhanced Security

If enhanced security is enabled on a system running DECnet, users may no longer be able to log into that system via dlogin . This is because enhanced security expires all accounts when it is enabled, including the daemon account, which is the default account used by DECnet for remote logins. To re-enable dlogin, either activate the daemon account by resetting the password or change the default account on the "session control application cterm" entity to an active account.
Qing Zhu
Advisor

Re: enhanced security disable dlogin?

Thanks Ann, it worked by resetting passwd for daemon account.

My new concern is that now the daemon account has a passwd attached, could this be a potential security breach? should I assign a non-functinal shell such as /bin/false to the daemon account?
Please advice.
Ann Majeske
Honored Contributor

Re: enhanced security disable dlogin?

Hi,

The easiest way to disable an account when running Enhanced Security is to set the administrative lock. You can also disable password and account expiration on the account so that the account doesn't get disabled again.

There are several tools you can use to modify the account, the usermod command (see "man usermod"), the sysman Account Manager, or the edauth tool (see "man edauth"). There is more information on Enhanced Security in the Security Administration manual.

The prpasswd man page lists all of the protected password database identifiers that can be set. The identifiers that you want in this case are:
u_exp - password expiration, set this to zero to disable password expiration
u_life - password lifetime, set this to zero to disable
u_lock - the existance of this field without the @ symbol locks the account
u_expdate - account expiration, set this to zero to disable account expiration

Ann
Qing Zhu
Advisor

Re: enhanced security disable dlogin?

this helps:)