英語 [README] [login/README.WZV] [skey.access]
日本語 [login/README.WZV.j] [skey.access.j]
[logdaemon-5.6をNEWS OS4.xでコンパイルするためのパッチ] [戻る]

This version of 4.3 BSD NET1 login.c has been hacked for SunOS 4.x,and SunOS 5.x, Ultrix 4.x and other systems.

With Digital UNIX enhanced security, build with -DDECOSF1_ENHANCED and link with SYSLIBS=-lsecurity (see Makefile).

The enhanced login command reports every login failure that is not followed by a successful login (the threshold for reporting a failure is 1 for known account names, 2 for other names). Unfortunately, only the SunOS5 variant of the program supports shadow passwords and password aging. See below for a list of enhancements.

THIS PROGRAM CAN INTRODUCE SECURITY HOLES WITH SOME SYSTEM V VERSIONS in particular the versions with port monitors (getty, ttymon) that convert their standard input to an argument vector for /bin/login. It seems to be OK for SunOS 5.0 and later.

This login comand can interface to new-style rlogin daemons that do all the authentication by themselves (the login '-f' option). Support for the '-r' option has been added so that it can also interface to older rlogin daemons.

Installation:

You will probably have to modify the syslog.conf file so that auth.info messages will be logged at all. For example:

*.err;kern.debug;auth.notice;user.none		/dev/console
*.err;kern.debug;daemon,auth.info;mail.crit;user.none   /var/adm/messages
auth.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)
Beware that syslogd usually insists on tabs between fields in the syslog.conf file.

Enhancements:

(1) Bad SunOS [45].x environment variables (LD_xxx, IFS) are deleted.

(2) The program supports device security described in the SunOS 4.x fbtab(5) and SunOS 5.x logindevperm(4) manual pages. The format of that file is:

If someone logs in on the specified login-terminal, the devices in the third column are chowned to that user and given the specified permissions. Example:

	/dev/console 0600 /dev/kbd:/dev/mouse:/dev/fb
	/dev/console 0600 /dev/sound/*:/dev/fbs/*
The code first looks for /etc/fbtab (compatibility with pre SunOS 5.3 logdaemon versions), then for /etc/logindevperm.

(3) The program can selectively allow (or disallow) users (or groups) to login in from specific hosts (or domains) or terminals. Access is controlled by a file /etc/login.access. The login.access file in this directory describes details.

(4) Premature hangups are reported as login failure, too. That's an old cracker trick.

(5) All logins are reported to the syslogd, so that I no longer have to examine 160 /var/adm/wtmp files. Regular logins are logged at severity auth.info.

(6) If compiled with -DSKEY, implement additional support for one-time s/key passwords. This feature is completely transparent for the user who does not use s/key. See ../skey/README for details.

(7) When given the -l option, the rlogin authentication code ignores user .rhosts files (IRIX 5.3: -R).

(8) By default, the rlogin auth code will not accept '+' wildcards (it will complain instead). The -l option is passed on by the rlogind program in ../rlogind.

Unimplemented SYSV features: