ignatz@chinet.chi.il.us (Dave Ihnat) (12/03/88)
Before I waste my time re-inventing the wheel, I guess I'll ask here. There's a file in /etc called 'pwcntl'; it's certainly referenced by /bin/login, and in /usr/bin/Ulogin. A casual dump indicates it may be the 3B1 version of a lastlog analog, but I've not found any documentation on it, nor does it appear to be referenced anywhere in /usr/include or /usr/include/sys. Has someone else taken this file apart? If not, it shouldn't be too outrageous, but I'd prefer not to duplicate effort. Thanks, Dave Ihnat ignatz@homebru.chi.il.us analogue
ditto@cbmvax.UUCP (Michael "Ford" Ditto) (12/06/88)
In article <7059@chinet.chi.il.us> ignatz@chinet.chi.il.us (Dave Ihnat) writes: >Before I waste my time re-inventing the wheel, I guess I'll ask here. [ ... ] >Has someone else taken this file apart? If not, it shouldn't be too >outrageous, but I'd prefer not to duplicate effort. When I first looked at this file a long time ago, I was under the impression that it only recorded failed login attempts, but since it was definately modified when I logged in just now, I guess I was wrong. It definitely does record unsuccessful attempts, though; even unknown login names. Here's what I've been able to figure out from the file itself: struct pwcntl { char name[8]; /* name entered at login: */ int uid; /* seems to be garbage for failed logins */ char flag; /* always 'Y' or 'N', what does it mean? */ /* char pad; */ long last_login; /* last login attempt */ long first_login; /* time when this entry was created */ long unknown; /* always zero, what does it mean? */ }; /* 26 bytes total */ Has anyone ever seen this file on anything other than a Unix PC? Anyone with further observations/conclusions, please post! -- -=] Ford [=- "The number of Unix installations (In Real Life: Mike Ditto) has grown to 10, with more expected." ford@kenobi.cts.com - The Unix Programmer's Manual, ...!sdcsvax!crash!elgar!ford 2nd Edition, June, 1972. ditto@cbmvax.commodore.com
dwex@mtgzz.att.com (d.e.wexelblat) (12/07/88)
In article <5439@cbmvax.UUCP> ditto@cbmvax.UUCP (Michael "Ford" Ditto) writes: >In article <7059@chinet.chi.il.us> ignatz@chinet.chi.il.us (Dave Ihnat) writes: >>Before I waste my time re-inventing the wheel, I guess I'll ask here. > [ ... ] >>Has someone else taken this file apart? If not, it shouldn't be too >>outrageous, but I'd prefer not to duplicate effort. > [ ... ] > > struct pwcntl > { > char name[8]; /* name entered at login: */ > int uid; /* seems to be garbage for failed logins */ > char flag; /* always 'Y' or 'N', what does it mean? */ > /* char pad; */ > long last_login; /* last login attempt */ > long first_login; /* time when this entry was created */ > long unknown; /* always zero, what does it mean? */ > }; /* 26 bytes total */ > >Has anyone ever seen this file on anything other than a Unix PC? >Anyone with further observations/conclusions, please post! >-- > -=] Ford [=- > >"The number of Unix installations (In Real Life: Mike Ditto) >has grown to 10, with more expected." ford@kenobi.cts.com >- The Unix Programmer's Manual, ...!sdcsvax!crash!elgar!ford > 2nd Edition, June, 1972. ditto@cbmvax.commodore.com This file is used by the 'install' user's 'add user' (or whatever it's called) command. The flag field is for the 'EXPERT' flag (shows up on the menu. The first_login field will be zero if the user is created through the menu, and gets set when the user first logs in. The unknown field is (I think) the disk space used by that user, and gets filled in when you tell UA to run whatever to find disk usage (this also shows up on the add user menu). I decoded this file a while ago, since I needed to write a script to create a bunch of users, but still have things look OK to UA. If UA isn't used, I don't think this file is necessary, or relevant. --David Wexelblat dwex@mtgzz.att.com AT&T Bell Laboratories ...!att!mtgzz!dwex 200 Laurel Ave - 4B-421 Middletown, NJ 07748 stupid inews fodder stupid inews fodder stupid inews fodder
jbm@uncle.UUCP (John B. Milton) (12/08/88)
In article <5439@cbmvax.UUCP> ditto@cbmvax.UUCP (Michael "Ford" Ditto) writes: >In article <7059@chinet.chi.il.us> ignatz@chinet.chi.il.us (Dave Ihnat) writes: >>Before I waste my time re-inventing the wheel, I guess I'll ask here. > [ ... ] >>Has someone else taken this file apart? If not, it shouldn't be too >>outrageous, but I'd prefer not to duplicate effort. > >When I first looked at this file a long time ago, I was under the >impression that it only recorded failed login attempts, but since it >was definately modified when I logged in just now, I guess I was >wrong. It definitely does record unsuccessful attempts, though; >even unknown login names. > >Here's what I've been able to figure out from the file itself: > > struct pwcntl > { > char name[8]; /* name entered at login: */ > int uid; /* seems to be garbage for failed logins */ > char flag; /* always 'Y' or 'N', what does it mean? */ > /* char pad; */ > long last_login; /* last login attempt */ > long first_login; /* time when this entry was created */ > long unknown; /* always zero, what does it mean? */ > }; /* 26 bytes total */ > >Has anyone ever seen this file on anything other than a Unix PC? >Anyone with further observations/conclusions, please post! No, I have not seen this file on any other UNIX system. I think it was created especially for the UNIXpc. The major use for this file is maintaining users through the Ulogin program, which is run by the administration window stuff. The "flag" field is the "expert user" flag, from Ulogin. The unknown field is the "Space" field from the Ulogin screen, which shows disk space usage of each user. Unfortunately, it is only used internally by Ulogin, and so does not reflect values outside Ulogin. I think they intended to do more with this field, but never got around to it. The "pad" field seems to be just that. I can't find any reference to it in either login or Ulogin. It is probably some other kind of flag like the expert flag that never got used. If a user has been created by hand (not with Ulogin), an entry will be created the first time the user is logged in. If a user is created with Ulogin, the create time is set to then, with the first login set to 0. Everytime a user name is entered into login, pwcntl is updated BEFORE the password is CHECKED. Thus, ALL login attempts are recorded. For those of you who have a lot of public access, some of the attempts will be quite interesting. This makes pwcntl a good place to look for break-in attempts. A lot of typos and line noise "names" get entered here too. NOTE: If you run Ulogin stand-slone from the shell, be warned: It sends a "^[[=0w", which disables autowrap, send "^[[=1w" to turn it back on. If somebody whips up a util for dumping pwcntl, post it to unix-pc.sources l i n e s for rn John -- John Bly Milton IV, jbm@uncle.UUCP, n8emr!uncle!jbm@osu-cis.cis.ohio-state.edu (614) h:294-4823, w:764-2933; Got any good 74LS503 circuits?
bms@mitisft.Convergent.COM (Bruce Schlobohm) (12/09/88)
In article <5439@cbmvax.UUCP>, ditto@cbmvax.UUCP (Michael "Ford" Ditto) writes: > > When I first looked at this file a long time ago, I was under the > impression that it only recorded failed login attempts, but since it > was definately modified when I logged in just now, I guess I was > wrong. It definitely does record unsuccessful attempts, though; > even unknown login names. > [...] > Has anyone ever seen this file on anything other than a Unix PC? > Anyone with further observations/conclusions, please post! Info on pwcntl as I see it: struct pwrec { char logon[8]; /* user name from login arg1 */ int uid; /* uid from /etc/passwd */ char expert; /* Y/N flag for expert mode */ char flg; /* unused (pad) */ time_t timeon; /* time of most recent login */ time_t timecr; /* time of first login */ long space; /* disk space used in blocks, * only used in Ulogin after Compute Space * has been selected. */ }; login writes records, Ulogin reads them and updates the expert flag, upon request, but never writes the disk space info back to the file. The information you see in the menu "User Login Interface" (Ulogin), comes from pwcntl. In my brief search, I didn't find any other programs which use of the file, and this is definitely not a feature from CTIX. The purpose of the file seems to be the groundwork for the ua to control who can be an "expert", but this feature doesn't seem to be fully implemented, at least not on my UNIXPC. (Changing Expert= in ~/Environment seems to be all that ua needs to turn on/off Expert Mode.) As far as failed logins, this seems to be more of a quirk than an feature. If you type a nonexistent login name at getty, hit return for the password, then log in with a valid login name/passwd, a record is written with the nonexistent login name, as though it were a valid (new) user. However, if you fail the login completely, and let login timeout (60 seconds), no record is written to pwcntl. So this isn't a reliable way of tracking failed login attempts. -- Bruce Schlobohm bms@Convergent.COM -or- {pyramid,sri-unix,pacbell}!ctnews!bms
jr@amanue.UUCP (Jim Rosenberg) (12/12/88)
In article <440@uncle.UUCP> jbm@uncle.UUCP (John B. Milton) writes: >For those of you who have a lot of >public access, some of the attempts will be quite interesting. This makes pwcntl >a good place to look for break-in attempts. A lot of typos and line noise >"names" get entered here too. Aaaaaaaarghhhhhhhhhh!!!! Until this discussion I'd never taken a look at /etc/pwcntl. When I did I nearly had a heart attack! On my system it was completely public. An od -c on this file revealed something in plain text that you don't wanna have *ANYWHERE*. Hint: Have you ever by mistake typed your password to the login: prompt? Of course, all UNIX users should be warned that typing your password to the login prompt can broadcast it; any user who might be doing a ps -fe at the time could see it. (Not on the 3b1, actually, since ps -fe on the 3b1 doesn't do the right thing. [Dammit!]) Little did I know that this gaffe leaves a PERMANENT record. A [formerly] public permanent record! I wasn't concerned that I might have compromised a password because I knew at the time I was the only user of the system. To all 3b1/7300 users: take a look at this doggoned file *TODAY*. You might find YOUR OWN PASSWORD (or worse!) staring you in the face. Yet another thing to add to the list of security problems on the 3b1. -- Jim Rosenberg CIS: 71515,124 decvax!idis! \ WELL: jer allegra! ---- pitt!amanue!jr BIX: jrosenberg uunet!cmcl2!cadre! /
ignatz@chinet.chi.il.us (Dave Ihnat) (12/14/88)
There's a reason I asked if anyone had the pwcntl information. After I got it (many thanks to net respondents), I spent about 4 hours last Sunday writing a utility to allow manipulation of this file; in particular, it can now be used to detect valid login activity (or inactivity) or failed login entries. The program provides the capability for an interactive examination, or examination and correction, session (full-screen)--in particular, this will allow you to correct invalid UIDs (reconciled from the /etc/passwd file, not the keyboard); delete (or, until the end of the session, undelete) entries (allows cleanup of failed login attempts); recalculate the space used on a per- entry basis while interactive, or a batch basis; provide a print listing of either all entries, or only bad ones (i.e., bad login or bad UID values). All the listed features have passed a series of tests by myself; all I've left to do is add some sorting options for the dump option (sort by date, sort by login name, I think should do it), and write the man page. Expect this in the next couple of days. (That is, if anyone really is interested...) -Dave Ihnat Analysts International Corp. ignatz@homebru.chi.il.us