###system security overview###
/var/adm/sulog  -houses SU attempts
SU TIMESTAMP +| | -TTY
Switched_User_From_To
SU 06/17 11:13 + pts/4 root-unixcbt
/var/adm/loginlog -Does Not exist by default
Note: houses failed logins after threshold
(Default of 5)
touch /var/adm/loginlog
/etc/default/login
logins command
logins -x -l unixcbt -returns info. from /etc/
{passwd,shadow}
logins -p -lists users without passwords
###password generation encryption
algorithm###
Note: Default in Solaris 10 is Unix , legacy
encryption -the weakest
/etc/security/policy.conf -man policy.conf(4)
Note: password encryption changes take
effect at user's next password change
###Secure Shell (SSH)###
Features:
 1.provide encryped communication between
client & server
 2. FTP-like facility
 3. Terminal facility -emulates telnet by
providing the client with a pseudo-terminal
(PTS)
 4. port forwarding - encrypts local&remote
TCP-based ports
### disable clear-text protocols -FTP&
Telnet###
svcadm disabel ftp&&svcadm disable
telnet&&svcs -l telnet
### ssh client###
preceence order:
1. command-line options
2. ~/.ssh/config
3. /etc/ssh/ssh_config
/etc/ssh/ssh_config
ssh hostname -stores hostname's
public key in ~/.ssh/known_hosts
hostname's public key can be stored in
 system-wide: /etc/ssh/ssh_known_hosts
Note: it is a requirement that the remote ssh
server's public key (RSA1/RSA/DSA) be stored
 somewhere (~/.ssh/known_hosts
,/etc/ssh/ssh_known_hosts) because,
the public key is used to encrpyt messags /session to server.
Note: the server decrpts messages/session information
 with it's private key this is PKI(public key/private key pair)
###SCP/SFTP -Non-interactive/Interactive file transfer methods -SSH###
scp -non-interactive copies
basic syntax:
1. scp local_file_name user@remotehost:/directory_on_remote_host
2. scp user@remotehost:/path_to_file local_directory(.)
3. scp source destination
ssh remote_host "command"
scp unixCBT_mysql_notes.txt linuxcbtmedial:
SFTP -interactive client(PUTs/GETs)
sftp user@host
sftp root@linuxcbtmedial
###PKI-based(passwordless)logins###
steps to enable passwordless logins:
1.ensure that current user(root) has public key/private key for RSA/DSA
usder .ssh directory
2. if not exist, generate keys using 'ssh-keygen'
3. share keys with desired servers
4. test connectivity to desired remote host
1. no keys exist
2.ssh-keygen -t rsa
3.copy your public key(RSA/DSA) to the desired remote system's ~/.ssh/authorized_keys file
4. excute any ssh operation: i.e. ssh, scp, sftp
Note: default file used for passwordless-authentication is: ~/.ssh/authorized_keys
Note:authorized_keys file must contain the entire key on 1 line
Note: you may store your public in ANY remote user's authorized_keys file
Note: PKI is superior,strength-wise, to passwords
###Forced commands###
Note: used to force clients to excute specifc commands .i.e.dd
no-port-forwarding
ssh-rsa