wezel@balaena.UUCP (Jos C. van Wezel) (10/19/88)
Skimming tru my sysV manuals I came across the file /etc/issue, in the man pages for getty. However it is only mentioned, no description. I remember seeing somewhere it differentiated between several projects, and then echoed a specific line when getty started. No reasonable file format did the trick however, so I'd like to ask if anyone knows what format to use or else what the file is for. In my bin/login (I'm on a 3B2, V3.1) after an od I found the path: /etc/dialups. Now this isn't even in the manuals. Again where is it used for, and what is the format. Maybe it's a relic, but there no means for me to check that out. I'd be obliged with an answer. Jos --------------------------------------------*-----*------------**--------
friedl@vsi.COM (Stephen J. Friedl) (10/20/88)
In article <538@balaena.UUCP>, wezel@balaena.UUCP (Jos C. van Wezel) writes: > > Skimming tru my sysV manuals I came across the file /etc/issue, in the > man pages for getty. However it is only mentioned, no description. The contents of /etc/issue is printed on the terminal before the login prompt by getty, and there is no specific format for the file. It seems that even though a particular incantation of getty is compiled without /etc/issue support, strings(1) will indicate otherwise (not enough #ifdefs somewhere?). > In my /bin/login (I'm on a 3B2, V3.1) after an od I found the path: > /etc/dialups. Login may be compiled with dialup passwords. If, after the usercode and personal password have passed, the current login port is found in the file /etc/dialups (full pathnames, one per line), then the file /etc/d_passwd is consulted for a per-shell dialup password. It's kind of like /etc/passwd except the first field is the login shell name -- again, the full pathname. /usr/lib/uucp/uucico:H/b2sFVwkXsGs::::: /bin/sh:9rIqMXKUSczUY::::: /bin/tty:::::: Here, /bin/sh and uucico both have different passwords, while the "tty" login has none. If the shell is not found in the file, access is denied. Be sure to keep /etc/d_passwd readable by root only to make it harder for people to poke around. ** PRAISE ON * Dialup passwords are *fabulous*. Regular passwords are like individual office locks, but dialup passwords are master locks on the front door of the building. If a disgruntled employee leaves, there is no need for a mad rush to have *everybody* change their password at once. In addition, office staff without modems at home don't need to be given the dialup password ("You never know who your secretary is sleeping with", to quote one of my customers). It is much easier to keep control of a single, well-chosen dialup password than to control an office full of "susan1" and "lassie1" passwords. If your Sys V vendor doesn't provide dialup passwords in /bin/login, *complain* and *demand* them. Steve -- Steve Friedl V-Systems, Inc. +1 714 545 6442 3B2-kind-of-guy friedl@vsi.com {backbones}!vsi.com!friedl attmail!vsi!friedl ---------Nancy Reagan on the Three Stooges: "Just say Moe"---------
wescott@sauron.Columbia.NCR.COM (Mike Wescott) (10/20/88)
In article <538@balaena.UUCP> wezel@balaena (Jos C. van Wezel) writes: > > Skimming tru my sysV manuals I came across the file /etc/issue, in the > man pages for getty. However it is only mentioned, no description. > I remember seeing somewhere it differentiated between several projects, > and then echoed a specific line when getty started. /etc/getty, if compiled with SYS_NAME defined, will prefix the "login" prompt (that it gets from /etc/gettydefs) with both the nodename (utsname.nodename) and the contents of /etc/issue, if it exists. A word of caution, if your getty has this option enabled, don't get carried away with /etc/issue. It is not the message-of-the-day. Long /etc/issue files can makke life difficult for programs like uucico that try to login using chat scripts. > In my bin/login (I'm on a 3B2, V3.1) after an od I found the path: > /etc/dialups. Now this isn't even in the manuals. /bin/login, will, after it has validated a password, check /etc/dialups for a line which begins with the pathname of the device being used. The file looks like this: /dev/tty00 /dev/tty01 . . . The device name must begin in the first column and is terminated by any whitespace. Comments could follow the white space, but I've never seen it done that way. If the such a line is found, then /etc/d_passwd is used. The format of /etc/d_passwd consists of lines of colon-terminated fields. The first field has the name of a shell; and the second field is an encrypted password, just like /etc/passwd. For example: /bin/sh:RcjqjwrheFnuc: /bin/rsh:nufuivsiuhnuc: /usr/ucb/csh:sdwjhernNfNUX: /usr/lib/uucp/uucico:: If /etc/d_passwd exists, /bin/login looks for a match of the login shell. If the match is found, or if no match is found but an entry for /bin/sh is found, and the password field is not null then the user is prompted "Dialup Password:". Checking the password uses the same algorithm used for the regular password. If it is not correct, /bin/login goes back the the login: prompt and starts all over. Be careful of your uucp neighbors if you suddenly implement this, you'll probably need to put in a null password for /usr/lib/uucp/uucico. Security is somewhat enhanced, but since all users with the same shell have the same dialup password the password will be widely known. Other problems arise if the system has chsh. And a cracker can know that he has a valid username and password if he gets the Dialup Password prompt. By making links to the standard shells, individualization of the dialup password can be accomplished but it's an administrative headache. Historical note: at one time the prompt was "External Security:" -- -Mike Wescott mike.wescott@ncrcae.Columbia.NCR.COM
kjk@pbhyf.PacBell.COM (Ken Keirnan) (10/21/88)
In article <538@balaena.UUCP> wezel@balaena (Jos C. van Wezel) writes: > >Skimming tru my sysV manuals I came across the file /etc/issue, in the >man pages for getty. However it is only mentioned, no description. >I remember seeing somewhere it differentiated between several projects, >and then echoed a specific line when getty started. No reasonable file >format did the trick however, so I'd like to ask if anyone knows what >format to use or else what the file is for. >In my bin/login (I'm on a 3B2, V3.1) after an od I found the path: >/etc/dialups. Now this isn't even in the manuals. Again where is it used >for, and what is the format. Maybe it's a relic, but there no means for >me to check that out. >I'd be obliged with an answer. Jos, the printing of the contents of an "/etc/issue" file prior to outputing the log on message is a compile time option for the "getty" program. Some vendors supply getty with the code compiled in, some (most?) don't. Speak with your System V vendor about this one. Many recent versions of the System V "login" program support the (undocumented) dialup password mechanism. Two files are required for implementation of this feature: "/etc/dialups" and "/etc/d_passwd". The first file, /etc/dialups, should contain a list of tty path names associated with dial in lines (one per line in the form: /dev/ttyxx). The second file, /etc/d_passwd, consists of entries similar to those in /etc/passwd, but the first field is the shell name (you can have different passwords for each login shell), the second field is the password, and anything else is comment: /bin/sh:<encrypted_password>:optional comments /bin/rsh:<encrypted_password>:optional comments Note that even without the comments, the second colon is *required* for login to parse the line correctly. Since there is no handy dialup password changing program, the easiest way to create passwords is to change the password for an ordinary user login to the one for the dialup password, then edit the encrypted password into the second field in /etc/d_passwd. If you want all login shells (whatever their name) to use the same dialup password, the only line required in d_passwd is one for the default shell (usually /bin/sh) used by login. Any other shell not found in d_passwd will then use this default entry. One more important note. If you have incoming UUCP traffic, you probably *won't* want a dialup password fouling up the works so make sure to include a line in /etc/d_passwd as follows: /usr/lib/uucp/uucico:: One last caution. There is a bug in some versions of login that support dialup passwords that causes login to prompt for the dialup password even when there isn't one. In this case, typing just a carriage return in response to the prompt will work, *but*, it will still cause UUCP to fail when logging in. Be sure to test for this bug. If you have source for login, it is an easy fix: at the bottom of the dialpass() routine, change: fclose(fp); return(gpass("Dialup Password:", defpass)); to: fclose(fp); if (defpass[0] == '\0') return(0); return(gpass("Dialup Password:", defpass)); Ken Keirnan -- Ken Keirnan - Pacific Bell - {att,bellcore,sun,ames,pyramid}!pacbell!pbhyf!kjk San Ramon, California kjk@pbhyf.PacBell.COM
marzusch@fbihh.UUCP (Ralph-Diether Marzusch) (10/21/88)
> > Skimming tru my sysV manuals I came across the file /etc/issue, in the > man pages for getty. However it is only mentioned, no description. > I remember seeing somewhere it differentiated between several projects, > and then echoed a specific line when getty started. No reasonable file > format did the trick however, so I'd like to ask if anyone knows what > format to use or else what the file is for. I'm using System V/AT - there it just outputs the contents of /etc/issue before the 'System name: xxxx' message and the 'login: ' prompt. > In my bin/login (I'm on a 3B2, V3.1) after an od I found the path: > /etc/dialups. Now this isn't even in the manuals. Again where is it used > for, and what is the format. Maybe it's a relic, but there no means for > me to check that out. For any terminal listed in /etc/dialups a secondary password will be requested after the user's password (from /etc/passwd) has been verified. The password is taken from /etc/d_passwd - see the following example: /etc/dialups: /dev/tty0 /dev/tty1 /etc/d_passwd: /usr/lib/uucp/uucico:: # /usr/lib/uucp/uucico: no dialup password /bin/rsh:PASSWORD1HERE: # /bin/rsh: dialup password /bin/sh:PASSWORD2HERE: # /bin/sh: dialup password :PASSWORD3HERE: # shell not specified (defaults to: /bin/sh) /usr/lbin/mailbox:: # your mailbox program: no dialup pwd required /bin/sh:*: # anything else: can't login /etc/passwd: ... a:PASSWORD HERE:73:100:User A:/usr/users/a:/bin/rsh b:PASSWORD HERE:74:100:User B:/usr/users/b:/bin/sh c:PASSWORD HERE:75:100:User C:/usr/users/c: d:PASSWORD HERE:76:100:User D:/usr/users/d:/usr/lbin/mailbox e:PASSWORD HERE:77:100:User E:/usr/users/e:/usr/lbin/mailbox_manager User A must enter dialup password #1, user B must enter dialup password #2 and user C must enter dialup password #3. User D will not be requested to enter a dialup password. User E will be asked for a dialup password, but there is no password that matches '*' when encrypted, so E can't login on tty0 and tty1. Please note: the *last* entry for /bin/sh is the default entry for *any* shell not mentioned in this list. The *first* entry for /bin/sh will be applied to /bin/sh itself. If there is only one entry for /bin/sh it is used for /bin/sh and for every shell not mentioned in this list. The entries for /bin/sh and for '' (empty shell field in /bin/passwd) are considered different. The password must be encrypted the same way the passwords in /etc/passwd are encrypted (see crypt(3) ). Pretty complicated, isn't it? Have a look at the source of /bin/login, it's worse. But it's a nice (undocumented :-( ) feature. Ralph-Diether Marzusch -- UUCP: marzusch@fbihh.uucp | Universitaet Hamburg (...!uunet!unido!fbihh!marzusch) | Fachbereich Informatik EAN: marzusch@rz.informatik.uni-hamburg.dbp.de | Schlueterstr. 70 Phone: +49 40 4123 4163 | D-2000 Hamburg 13 (W-Germany)
guy@auspex.UUCP (Guy Harris) (10/22/88)
>Login may be compiled with dialup passwords.
Umm, from the S5R3 source I've seen, it can't be compiled *without* them....