todd@narnia.ecs.rpi.edu (R. Lindsay Todd) (01/19/91)
Hi -- I need to provide an alternate login program on my RS6000's (to provide Kerberos authentication for AFS). However, simply replacing /bin/login with another version doesn't work. Upon further study, I noticed that /bin/login is a hard link to /etc/getty and /etc/tsm; it also became clear the /etc/getty takes care of authentication itself! Now, /etc/security/login.cfg and /etc/security/user seems to have some hooks for providing alternative authentication methods. However, my CD-ROM wears a bit thin in this area. Has anyone successfully used these hooks to provide an alternative login mechanism? Is there any other way I could use a substitute login program? -- R. Lindsay Todd, Systems Programmer ECS, Rensselaer Polytechnic Institute, Troy, NY 12180-3590 Internet: todd@narnia.ecs.rpi.edu
root@caen.engin.umich.edu (Rooty toot toot) (01/19/91)
In article <9T4^9=-@rpi.edu> todd@narnia.ecs.rpi.edu (R. Lindsay Todd) writes: > >Hi -- I need to provide an alternate login program on my RS6000's >(to provide Kerberos authentication for AFS). However, simply >replacing /bin/login with another version doesn't work. Upon >further study, I noticed that /bin/login is a hard link to /etc/getty >and /etc/tsm; it also became clear the /etc/getty takes care of >authentication itself! We too wish to modify our /bin/login for Kerberos authentication purposes. Various folks here at the university as well as from Transarc Corp. have been trying to get the source from IBM in order to modify it. Apparently the RS/6000s do not use /bin/login as most other unix machines do. Additionally, your problems don't end there. According to Transarc, telnetd must be modified too. For now we are waiting patiently to get our hot little hands on the source so that we may hack it. >Now, /etc/security/login.cfg and /etc/security/user seems to have some >hooks for providing alternative authentication methods. However, my >CD-ROM wears a bit thin in this area. Has anyone successfully used >these hooks to provide an alternative login mechanism? I looked at the alternative authentication methods too. The big problem I saw was that there was no way to trap the password from the system login to use in any of the alternate authentication methods. If anyone knows how to do this, please tell us! >Is there any other way I could use a substitute login program? The only way I know of is to arrange to obtain the source from IBM. If you find another way, please post. >R. Lindsay Todd, Systems Programmer >ECS, Rensselaer Polytechnic Institute, Troy, NY 12180-3590 >Internet: todd@narnia.ecs.rpi.edu Wendy Ross internet:wross@caen.engin.umich.edu Computer Aided Engineering Network bitnet: try Wendy_Ross@umichub.bitnet University of Michigan <insert amusing quip here>
jfh@greenber.austin.ibm.com (John F Haugh II) (01/23/91)
In article <9T4^9=-@rpi.edu> todd@narnia.ecs.rpi.edu (R. Lindsay Todd) writes: >Now, /etc/security/login.cfg and /etc/security/user seems to have some >hooks for providing alternative authentication methods. However, my >CD-ROM wears a bit thin in this area. Has anyone successfully used >these hooks to provide an alternative login mechanism? The /etc/security/user file contains two fields, auth1 and auth2, which can be used to configure the authentication process very finely. The default "auth1" value is "SYSTEM", which is a built-in method which performs the usual "prompt for Password: and compare against encrypted version" authentication. If you replace "auth1 = SYSTEM" with something like "auth1 = KERBEROS" you will have to add a "KERBEROS" stanza to /etc/security/login.cfg. For this example, assume a program "/etc/kerberos_auth" which takes a user ID as an argument, does some processing based on that argument, and exits with zero for success, and non-zero otherwise. Assume that the user "bob" exists and will be authenticated using the built-in method as well as the "KERBEROS" method. Start by changing bob's "auth1" attribute with the command "chuser auth1=SYSTEM,KERBEROS bob". Then manually edit the /etc/security/login.cfg adding the stanza -- KERBEROS: program = /etc/kerberos_auth -- After bob enters his password, the second program will be executed as "/etc/kerberos_auth bob". It is us to that program to get the Kerberos tickets, etc, and exit with 0 if the user is properly authenticated, and non-zero otherwise. -- John F. Haugh II | I've Been Moved | MaBellNet: (512) 838-4340 SneakerNet: 809/1D064 | AGAIN ! | VNET: LCCB386 at AUSVMQ BangNet: ..!cs.utexas.edu!ibmchs!auschs!snowball.austin.ibm.com!jfh (e-i-e-i-o)
robin@batcomp.austin.ibm.com (Robin D. Wilson) (01/24/91)
In article <9T4^9=-@rpi.edu> todd@narnia.ecs.rpi.edu (R. Lindsay Todd) writes: > >Hi -- I need to provide an alternate login program on my RS6000's >(to provide Kerberos authentication for AFS). However, simply >replacing /bin/login with another version doesn't work. Upon >further study, I noticed that /bin/login is a hard link to /etc/getty >and /etc/tsm; it also became clear the /etc/getty takes care of >authentication itself! > >Now, /etc/security/login.cfg and /etc/security/user seems to have some >hooks for providing alternative authentication methods. However, my >CD-ROM wears a bit thin in this area. Has anyone successfully used >these hooks to provide an alternative login mechanism? > >Is there any other way I could use a substitute login program? You can add a "logger" attribute to the ODM databases PdAt and CuAt that points to the program you want to run. Be forwarned that this will not work very well until update 3003. Then when you login the "logger" of your choice will be used. -- +-----------------------------------------------------------------------------+ |The views expressed herein, are the sole responsibility of the typist at hand| +-----------------------------------------------------------------------------+ |UUCP: robin%aixserv@uunet.uu.net | |USNail: 701 Canyon Bend Dr. | | Pflugerville, TX 78660 | | Home: (512)251-6889 Work: (512)823-3015 | +-----------------------------------------------------------------------------+