walter@mecky.UUCP (Walter Mecky) (06/27/90)
In article <1990Jun22.133240.14458@ddsw1.MCS.COM> karl@ddsw1.MCS.COM (Karl Denninger) writes:
+ Change /etc/default login as follows:
+
+ TIMEZONE=CST6CDT
+ HZ=100
+ ULIMIT=32000
+ #CONSOLE=/dev/console
+ #PASSREQ=YES
+ ALTSHELL=YES
+
+ The first commented-out line allows root logins from anywhere (if you have
+ the password), the second makes "no password" accounts available.
+
+ Then do a "passwd -d" on the accounts you don't want passwords for.
+
+ All done!
Sorry, not in SCO-UNIX. When I login next, I'm asked for a password.
The only (obscure) thing possible with SCO-UNIX is a password of length
zero, e.m. you only have to press <enter> when you are asked for the
password.
My question: If I do _not_ want C2 but an account without password in
SCO-UNIX, how can I get this ?
--
Walter Meckymichael@fts1.uucp (Michael Richardson) (06/30/90)
In article <651@mecky.UUCP> walter@mecky.UUCP (Walter Mecky) writes: >In article <1990Jun22.133240.14458@ddsw1.MCS.COM> karl@ddsw1.MCS.COM (Karl Denninger) writes: >+ #CONSOLE=/dev/console >+ #PASSREQ=YES >+ ALTSHELL=YES I can, btw, confirm, that this did the trick for me with interactive. I'm curious now -- what section of the manual did I NOT read that would have told me this? >Sorry, not in SCO-UNIX. When I login next, I'm asked for a password. >The only (obscure) thing possible with SCO-UNIX is a password of length >zero, e.m. you only have to press <enter> when you are asked for the >password. How about replacing /bin/login? >My question: If I do _not_ want C2 but an account without password in >SCO-UNIX, how can I get this ? From what I've heard, one CAN'T turn off the C2 stuff in SCO. Is this correct? It sounds too silly to be true. Does the accounting stuff shut off if you run out of space on the disk containing the log files? Or does the system just stop? -- :!mcr!: | < political commentary currently undergoing Senate > Michael Richardson | < committee review. Returning next house session. > Play: mcr@julie.UUCP Work: michael@fts1.UUCP Fido: 1:163/109.10 1:163/138 Amiga----^ - Pay attention only to _MY_ opinions. - ^--Amiga--^
amull@Morgan.COM (Andrew P. Mullhaupt) (07/02/90)
In article <1990Jun30.062117.15308@fts1.uucp>, michael@fts1.uucp (Michael Richardson) writes: > From what I've heard, one CAN'T turn off the C2 stuff in SCO. Is this > correct? It sounds too silly to be true. > Does the accounting stuff shut off if you run out of space on the > disk containing the log files? Or does the system just stop? You sure can turn off C2 in SCO UNIX, in fact, unless you have a big disc, you _better_. (At least I think so - My system was writing 1 Mbyte of accounting per minute when I first installed UNIX. At that time, I only had about 20 Mbytes of space above all the stuff I had installed. I found the system started to feel pretty rocky with less than 5% of the disc space free on the system, so even if it doesn't lock upon you when you hit bottom, you won't generally want to have this stuff turned on unless you have disk space to burn.) You can disable C2 security across the board by using the Relax option from the sysadmsh menu. This step puts your system into a more usual UNIX security configuration, but it is not reversible. Later, Andrew Mullhaupt
sys0001@dircon.uucp (07/02/90)
In article <1990Jun30.062117.15308@fts1.uucp> michael@fts1.uucp (Michael Richardson) writes: >In article <651@mecky.UUCP> walter@mecky.UUCP (Walter Mecky) writes: >>In article <1990Jun22.133240.14458@ddsw1.MCS.COM> karl@ddsw1.MCS.COM (Karl Denninger) writes: >>+ #CONSOLE=/dev/console >>+ #PASSREQ=YES >>+ ALTSHELL=YES > > I can, btw, confirm, that this did the trick for me with interactive. >I'm curious now -- what section of the manual did I NOT read that would >have told me this? To get the PASSREQ facility, you need a supplement called the "C2 Security Supplement". This adds several facilities, including: * C2-related crash recovery * Null password support * New sysadm selections for checking password database consistancy * Home directory management for accounts (I think this allows you to have more that one user with the same home dir) * Ability for users to view their own audit records * Extra crontab features * ability of adding groups of Xenix users It also corrects the following: * adds goodpw(C) * dialup password support and lots more In the UK, this supplement is called: unx167. I don't know whether SCO uses the same supplement names through the world. >>Sorry, not in SCO-UNIX. When I login next, I'm asked for a password. >>The only (obscure) thing possible with SCO-UNIX is a password of length >>zero, e.m. you only have to press <enter> when you are asked for the >>password. The above supplement allows logins without passwords being requested. Regards, Ben Knox -- sys0001@dircon.UUCP or sys0001%dircon@ukc.ac.uk
woods@eci386.uucp (Greg A. Woods) (07/05/90)
In article <1159@s8.Morgan.COM> amull@Morgan.COM (Andrew P. Mullhaupt) writes: > You sure can turn off C2 in SCO UNIX, in fact, unless you have a big > disc, you _better_. >[....] > You can disable C2 security across the board by using the Relax > option from the sysadmsh menu. This step puts your system into a > more usual UNIX security configuration, but it is not reversible. You can *not* turn off C2 security in SCO UNIX, at least I don't think so. You certainly can't do it with the "Relax" option in the sysadmsh junk (also accessible through /usr/lib/sysadm/authsh). The "Relax" option does not turn off C2 security, it only relaxes the security level to a more leisurely, normal, UNIX level (though I don't believe the "normal" bit). It does not get rid of the horrid passwd file maintenance problems, as I found out just now, nor does it replace /bin/passwd with a normal one, nor does it remove all the other junk in the kernel and other utilities, nor does it remove the many files which are the support database for the C2 security stuff, nor does it put the encrypted passwords back in /etc/shadow. All I could see that it does is copy /etc/auth/system/default.unix to /etc/auth/system/default. You could easily upgrade the security level of your system by copying /etc/auth/system/default.c2 back to /etc/auth/system/default, but this is not "reliable", since security may have been compromised while it was relaxed, an thus it will not truely be restored to the "C2" level. The warning message in the "Relax" option means nothing more. Has anyone noticed that running pwunconv breaks /usr/lib/sysadm/authsh until your run pwconv again? Has anyone noticed that pwunconv only does half the job, and does not restore the encrypted passwords back in their "proper" place? Has anyone noticed that /etc/shadow, pwconv, and pwunconv are useless anachronisms on SCO UNIX? Has anyone found any use for SCO's C2 security features, other than the fun and excitement of wasting time? Back to the UUCP bit of the subject line. -- Does anyone know why the uuinstall script is still in the dark ages? It doesn't add UUCP logins to /etc/passwd (for obvious reasons, if you know about SCO's C2!), nor does it do much else of any use, and in fact it makes a bit of a mess of the config files. While SCO did a grand job of porting most of SysVr3.2/386, including layers (though I didn't test it, and it's not in the sysadmsh kernel config menu, where "Layers" refers to shl), they still managed to screw up quite a bit of stuff. There's still that devil of a programme 'mkdev'. And what happened to sysadm and face? All on the source tape.... [ Sorry if I'm repeating the complaints of others. The past 2 hours of my time constituted my first experience trying to do the 5 minute job of configuring a UUCP connection to an SCO UNIX site. As a result I'm *very* frustrated! Sorry SCO, but you'll never sell another copy to anyone I have influence with (unless they are the military, and *require* C2 secure systems). ] [ PS, I must admit part of the 2 hours was spent trying to learn enough about the security stuff to disable it, with only online manuals at 1200bps, and a fair bit of ls'ing and find'ing. ] -- Greg A. Woods woods@{eci386,gate,robohack,ontmoh,tmsoft}.UUCP +1-416-443-1734 [h] +1-416-595-5425 [w] VE3-TCP Toronto, Ontario CANADA
gsn@sclcig.uucp (Georg Nikodym) (07/05/90)
In article <1159@s8.Morgan.COM> amull@Morgan.COM (Andrew P. Mullhaupt) writes: > >You can disable C2 security across the board by using the Relax >option from the sysadmsh menu. This step puts your system into a >more usual UNIX security configuration, but it is not reversible. This is not entirely true, like the option says, it's relazing security but it does not completely turn it off. Unfortunately, I can't think of any examples, but SCO UNIX with relaxed security != AT&T SysV/386 3.2. Oh yeah, here's one. There are a number of things that have been done underneath the surface that become visible when programming or building publice domain software. For example, they (SCO) have added another userid. Previously, there was a userid and an effective userid, now there is a login userid, which cannot be changed. Please note that I don't have any docs at my fingertips so don't bother flaming if there are minor discrepancies, also note (and this is to prevent the sco.com flame) I hear that an updated version is due out *anytime now* that corrects some of these concerns. -- ----------------------------------------------------------------------------- | Georg S. Nikodym - (416) 442-2238 | | | | Southam Business Information and Communications Group, Don Mills, Ontario | | gsn@sclcig.UUCP -or- ...!uunet!attcan!telly!moore!sclcig!gsn | | | | "The floggings will continue until morale improves" -Jose Castel-Branco | -----------------------------------------------------------------------------