mferrare@adelphi.ua.oz.au (Mark Ferraretto) (07/10/90)
I want to set up my login procedure to make users use two passwords to login instead of one. The problem I have is if I rewrite /bin/login how to I get getty to recognise my login procedure instead of /bin/login apart from overwriting it (I don't have sources)? Is rewriting /bin/login the best way to go about this? Mark Ferraretto --- ------------------------------------------------------------------------------- | Mark Ferraretto | | | Dept Physics and Mathematical Physics | mferrare@physics.adelaide.edu.au | | University of Adelaide | | ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- | Mark Ferraretto | | | Dept Physics and Mathematical Physics | mferrare@physics.adelaide.edu.au | | University of Adelaide | |
pgd@bbt.se (P.Garbha) (07/10/90)
In article <201@adam.adelaide.edu.au> mferrare@adelphi.ua.oz.au.oz.au (Mark Ferraretto) writes: >I want to set up my login procedure to make users use two passwords to login >instead of one. > >The problem I have is if I rewrite /bin/login how to I get getty to recognise >my login procedure instead of /bin/login apart from overwriting it (I don't >have sources)? Is rewriting /bin/login the best way to go about this? > You can get the login.c program from the freed bsd-sources. You have to customize it a little for your system, but still it is a very much better basis to start to work from, than to write login from scratch. Xenix allows you to call any other program instead of login, via an entry in /etc/gettydefs, but i have heard that other systems have not. A man gettydefs should tell you how it is on your system. I have replaced /etc/login with a customized version of BSD login, and I am happy with it.
jak@sactoh0.UUCP (Jay A. Konigsberg) (07/11/90)
>In article <201@adam.adelaide.edu.au> mferrare@adelphi.ua.oz.au.oz.au (Mark Ferraretto) writes: >>I want to set up my login procedure to make users use two passwords to login >>instead of one. >> >>The problem I have is if I rewrite /bin/login how to I get getty to recognise >>my login procedure instead of /bin/login apart from overwriting it (I don't >>have sources)? Is rewriting /bin/login the best way to go about this? >> A simple solution, if /etc/profile is executed, is to put a second login as the first command in /etc/profile. This has the added benifit of being able to exclude some logins from the second password requirment (like uucp logins). It also allows you to code in shell using crypt(1) (still storing the passwords encrypted) or in C, your choice. -- ------------------------------------------------------------- Jay @ SAC-UNIX, Sacramento, Ca. UUCP=...pacbell!sactoh0!jak If something is worth doing, its worth doing correctly.
davidsen@antarctica.crd.GE.COM (william E Davidsen) (07/11/90)
In article <1990Jul10.085137.16179@bbt.se>, pgd@bbt.se (P.Garbha) writes: |> In article <201@adam.adelaide.edu.au> mferrare@adelphi.ua.oz.au.oz.au (Mark Ferraretto) writes: |> >I want to set up my login procedure to make users use two passwords to login |> >instead of one. We set their startup shell to be a program which asks for a 2nd password (in another file set mode 600 to root), and then puts the user in only part of the filesystem using chroot. This is for the seriously paranoid.
dold@mitisft.Convergent.COM (Clarence Dold) (07/11/90)
in article <201@adam.adelaide.edu.au>, mferrare@adelphi.ua.oz.au (Mark Ferraretto) says: > I want to set up my login procedure to make users use two passwords to login > instead of one. ******** d_passwd ******** Three steps: 1) See if your version of login supports dialup passwords: #strings /bin/login |grep d_pas /etc/d_passwd 2) Create a /etc/dialups file containing the name of the tty you want to guard: #-r-------- 1 root root 189 Nov 24 08:46 /etc/dialups /dev/tty500 # /etc/dialups will contain all of the devices that # **might** present Dialup Password, depending on # entries in /etc/d_passwd. 3) Create a /etc/d_passwd controlling all possible login shells: #-r-------- 1 root root 368 Nov 24 08:45 /etc/d_passwd # /etc/d_passwd contains all 'initial programs' allowed # when invoked on a line specified in /etc/dialups # /bin/sh:13characterEncryption: # The encrypted password is drawn over via grep after applying # /bin/passwd to a superfluous entry in /etc/passwd. /bin/sh:JUNK: No login possible /bin/ksh:skLrmQZO73Y4K: Password required on ksh login /bin/rsh:: No password required on 'guest' rsh login # A line to allow uucp entry with no password: /usr/lib/uucp/uucico:: # Use links to different shell names to cause certain login ids # to require Dialup password, while other logins using the same # shell with a different name don't need a password. -- --- Clarence A Dold - dold@tsmiti.Convergent.COM (408) 435-5293 ...pyramid!ctnews!tsmiti!dold FAX (408) 435-3105 P.O.Box 6685, San Jose, CA 95150-6685 MS#10-007
ag@cbmvax.commodore.com (Keith Gabryelski) (07/12/90)
In article <3502@sactoh0.UUCP> jak@sactoh0.UUCP (Jay A. Konigsberg) writes: >In article <201@adam.adelaide.edu.au> mferrare@adelphi.ua.oz.au.oz.au (Mark Ferraretto) writes: >>I want to set up my login procedure to make users use two passwords >>to login instead of one. >> >>The problem I have is if I rewrite /bin/login how to I get getty to >>recognise my login procedure instead of /bin/login apart from >>overwriting it (I don't have sources)? Is rewriting /bin/login the >>best way to go about this? > >A simple solution, if /etc/profile is executed, is to put a second >login as the first command in /etc/profile. A user could hit the interrupt key before the first line in /etc/profile is executed and thus bypass your second attempt at security. A better way would be to replace the login shell of the user with your own program that does The Right Thing. Pax, Keith
ron@vpnet.chi.il.us (Ron Winograd) (07/12/90)
Well, the easiest way I can think of is to use login's dialup password. Although it is called a "dialup" password, you can use it on any device. At least, you can on System V unix... If you need help setting it up, email me -Ron ----------------------------------------------------------------------------- |Ron Winograd | I have no witty, funny or otherwise intelligent thing to | |ron@ | say here, so I guess I am just filling space. I don't even | |vpnet.chi.il.us| need a stupid disclaimer, cause I don't work for anyone, | |<empty space> | so I have nothing to disclaim. Now if you are reading this,| |<empty space> | then you are wasting time. There is better stuff to read! | -----------------------------------------------------------------------------
ram@attcan.UUCP (Richard Meesters) (07/12/90)
In article <13152@cbmvax.commodore.com>, ag@cbmvax.commodore.com (Keith Gabryelski) writes: | In article <3502@sactoh0.UUCP> jak@sactoh0.UUCP (Jay A. Konigsberg) writes: | >In article <201@adam.adelaide.edu.au> mferrare@adelphi.ua.oz.au.oz.au | (Mark Ferraretto) writes: | >>I want to set up my login procedure to make users use two passwords | >>to login instead of one. | >> | >>The problem I have is if I rewrite /bin/login how to I get getty to | >>recognise my login procedure instead of /bin/login apart from | >>overwriting it (I don't have sources)? Is rewriting /bin/login the | >>best way to go about this? | > | >A simple solution, if /etc/profile is executed, is to put a second | >login as the first command in /etc/profile. | | A user could hit the interrupt key before the first line in /etc/profile | is executed and thus bypass your second attempt at security. | | A better way would be to replace the login shell of the user with your | own program that does The Right Thing. I think though, if you set a trap in your .profile, you can keep people from bypassing the second login. If you're running System V UNIX, a simpler solution exists. You can create a dialup password. I'm not sure of exactly which versions and flavours of *NIX this will work on (The docs are at work, and it's too late to go and get them), but if you want an explanation, drop me an e-mail and I'll see what I can dig up. Incidentally, I'm running with this particular option on my 3B2 and it works fairly well. Normal login proceedure is to enter username password and then the dialup password. The dialup password is only set to work on specific ports, and with specific programs (eg login but not uucico). Regards, ------------------------------------------------------------------------------ Richard A Meesters | Technical Support Specialist | Insert std.logo here AT&T Canada | | "Waste is a terrible thing ATTMAIL: ....attmail!rmeesters | to mind...clean up your act" UUCP: ...att!attcan!ram | ------------------------------------------------------------------------------
Sm@bhpese.oz.au (Scott Merrilees) (07/12/90)
mferrare@adelphi.ua.oz.au (Mark Ferraretto) writes: >I want to set up my login procedure to make users use two passwords to login >instead of one. > >The problem I have is if I rewrite /bin/login how to I get getty to recognise >my login procedure instead of /bin/login apart from overwriting it (I don't >have sources)? Is rewriting /bin/login the best way to go about this? If you are using System V, you could try making all lines dailup & setting the dialup password, or, alternativly, if you are seriously paranoid, using the sublogin system. The sublogin system (or whatever it is called) works by putting a * in the shell field of the passwd file for the user, then login does a chroot to the directory field, and then runs login again. See login(1), and maybe other manuals as well. Sm -- Scott Merrilees, BHP Information Technology, Newcastle, Australia Internet: Sm@bhpese.oz.au Phone: +61 49 402132
jak@sactoh0.UUCP (Jay A. Konigsberg) (07/13/90)
In article <13152@cbmvax.commodore.com> ag@cbmvax (Keith Gabryelski) writes: >>>I want to set up my login procedure to make users use two passwords >>>to login instead of one. >>> >> >>A simple solution, if /etc/profile is executed, is to put a second >>login as the first command in /etc/profile. > >A user could hit the interrupt key before the first line in /etc/profile >is executed and thus bypass your second attempt at security. > No. That is what the trap command at the beginning of /etc/profile is for. If it reads: trap "exit" 2 3 then hitting the 'break' key will return them to a login. >A better way would be to replace the login shell of the user with your >own program that does The Right Thing. > The Right Thing? You are assuming the user wants this to be a C program and has the time to set it up. The "Right" solution is the one that will solve the persons problem in the most stright forward manner. Much of the time this will involve the use of the shell. Administrators are not programmers (most of the time anyway). Writing a C program to accept a secondary password may not be beyond your skills or mine, but it could easily be more than an average administrator would want to do. KISS! (Keep It Simple S_____) -- ------------------------------------------------------------- Jay @ SAC-UNIX, Sacramento, Ca. UUCP=...pacbell!sactoh0!jak If something is worth doing, its worth doing correctly.
peter@ficc.ferranti.com (Peter da Silva) (07/14/90)
In article <3513@sactoh0.UUCP> jak@sactoh0.UUCP (Jay A. Konigsberg) writes: > No. That is what the trap command at the beginning of /etc/profile is > for. If it reads: > trap "exit" 2 3 > then hitting the 'break' key will return them to a login. Unless they get in before the trap executes. It's a narrow window, but it's still there. And on a heavily loaded system it's not even that hard to hit. -- Peter da Silva. `-_-' +1 713 274 5180. <peter@ficc.ferranti.com>
pwendt@neon.UUCP (Patrick Wendt) (07/17/90)
pgd@bbt.se (P.Garbha) writes: >You can get the login.c program from the freed bsd-sources. [...] >I have replaced /etc/login with a customized version of BSD login, and >I am happy with it. If you HAVE got the sources of the BSD-Login.c, and if it is a free source code and even not too long, would you be so kind to post it to the net, 'cause I'm also interested in the sources ...!!! Thanx ... Pat ! -- ----------------------------------------------------------------------------- - Domain: root@chamber.UUCP ; QNX-OS ; Patrick Wendt, Berlin (WEST) Germany - - Bang .: ..!ira.uka.de!smurf!gopnbg!tmpmbx!einoed!utopia!neon!chamber!root - -----------------------------------------------------------------------------