Shadow login release 2 (part 3 of 3)

John F. Haugh II jfh at rpp386.Dallas.TX.US
Tue Jun 20 16:51:49 AEST 1989


X-Archive-Name: shadow2/part3

Part 3 of second USENET release
--
#! /bin/sh
# This is a shell archive, meaning:
# 1. Remove everything above the #! /bin/sh line.
# 2. Save the resulting text in a file.
# 3. Execute the file with /bin/sh (not csh) to create:
#	login.1
#	passwd.1
#	passwd.4
#	shadow.3
#	shadow.4
#	su.1
#	sulogin.8
#	pwconv.8
#	pwunconv.8
#	faillog.8
#	faillog.4
# This archive created: Tue Jun 20 01:28:09 1989
# By:	John F. Haugh II (River Parishes Programming, Plano TX)
export PATH; PATH=/bin:/usr/bin:$PATH
if test -f 'login.1'
then
	echo shar: "will not over-write existing file 'login.1'"
else
cat << \SHAR_EOF > 'login.1'
.TH LOGIN 1
.SH NAME
login \- Begin session on the system
.SH SYNOPSIS
.B login
[ username [ environmental-variables ] ]
.SH DESCRIPTION
.I login
is used to establish a new session with the system.
It is normally invoked automatically by responding to the
.B login:
prompt on the user\'s terminal.
.I login
may be special to the shell and may not be invoked as a sub-process.
Typically,
.I login
is treated by the shell as \fBexec login\fR which causes the user
to exit from the current shell.
Attempting to execute \fIlogin\fR from any shell but the login shell
will produce an error message.
.PP
When invoked from the \fBlogin:\fR prompt, the user may enter
environmental variables after the username.
These variables are entered in the form \fBNAME=VALUE\fR.
Not all variables may be set in the fashion, notably \fBPATH\fR,
\fBHOME\fR and \fBSHELL\fR.
Additionally, \fBIFS\fR may be inhibited if the user\'s login
shell is \fB/bin/sh\fR.
.PP
The user is then prompted for a password, where appropriate.
Echoing is disabled to prevent revealing the password.
Only a small number of password failures are permitted before
\fIlogin\fR exits and the communications link is severed.
.PP
If password aging has been enabled for your account, you may be
prompted for a new password before proceeding.
You will be forced to provide your old password and the new
password before continuing.
Please refer to \fIpasswd(1)\fR for more information.
.PP
After a successful login,
you will be informed of any system messages and the presence
of mail.
You may turn off the printing of the system message file,
\fI/etc/motd\fR, by creating a zero-length file \fI.hushlogin\fR
in your login directory.
The mail message will be one of "\fIYou have new mail.\fR",
"\fIYou have mail.\fR", or "\fINo Mail.\fR" according to
the condition of your mailbox.
.PP
Your user and group ID will be set according to their values in
the \fI/etc/passwd\fR file.
The value for \fB$HOME\fR, \fB$SHELL\fR, \fB$PATH\fR, \fB$LOGNAME\fR,
and \fB$MAIL\fR are set according to the appropriate fields in the
password entry.
Ulimit, umask and nice values may also be set according to
entries in the GECOS field.
.PP
On some installations, the environmental variable \fB$TERM\fR will be
initialize to the terminal type on your tty line, as specified in
\fI/etc/ttytype\fR.
.PP
An initialization script for your command interpreter may also be
executed.
Please see the appropriate manual section for more information on
this function.
.SH CAVEATS
.PP
This version of \fIlogin\fR has many compilation options, only some of which
may be in use at any particular site.
.SH Files
/etc/utmp \- list of current login sessions
.br
/etc/wtmp \- list of previous login sessions
.br
/etc/passwd \- user account information
.br
/etc/shadow \- encrypted passwords and age information
.br
/etc/motd \- system message file
.br
/etc/ttytype \- list of terminal types
.br
$HOME/.profile \- initialization script for default shell
.br
$HOME/.hushlogin \- suppress printing of system messages
.br
.SH See Also
.PP
getty(1M),
mail(1),
passwd(1),
sh(1),
su(1),
d_passwd(4),
passwd(4)
SHAR_EOF
fi
if test -f 'passwd.1'
then
	echo shar: "will not over-write existing file 'passwd.1'"
else
cat << \SHAR_EOF > 'passwd.1'
.TH PASSWD 1
.SH NAME
passwd \- change user password
.SH SYNOPSIS
\fBpasswd\fR [ \fB-f\fR ] [ \fIname\fR ]
.SH DESCRIPTION
\fIpasswd\f changes passwords for user accounts.
A normal user may only change the password for their own account,
the super user may change the password for any account.
.PP
The user is first prompted for their old password,
if one is present.
This password is then encrypted and compared against the
stored password.
The user has only one chance to enter the correct password.
The super user is permitted to bypass this step so that forgotten
passwords may be changed.
.PP
After the password has been entered password aging information
is checked to see if the user is permitted to change their password
at this time.
If not, \fIpasswd\fR refuses to change the password and exits.
.PP
The user is then prompted for a replacement password.
This password is tested for complexity.
As a general guideline,
passwords should consist of 6 to 8 characters including
one or more from each of following sets:
.IP "" .5i
Lower case alphabetics
.IP "" .5i
Upper case alphabetics
.IP "" .5i
Digits 0 thru 9
.IP "" .5i
Punctuation marks
.PP
Care must be taken not to include the system default erase
or kill characters.
\fIpasswd\fR will reject any password which is not suitably
complex.
.PP
If the password is accepted,
\fIpasswd\fR will prompt again and compare the second entry
against the first.
Both entries are require to match in order for the password
to be changed.
.SH Hints
The security of a password depends upon the strength of the
encryption algorithm and the size of the key space.
The \fB\s-2UNIX\s+2\fR System encryption method is based on
the NBS DES algorithm and is very secure.
.PP
Compromises in password security normally result from careless
password selection or handling.
For this reason, you should select a password which does not
appear in a dictionary or which must be written down.
The password should also not be a proper name, your license
number, birth date, or street address.
Any of these may be used as guesses to violate system security.
.PP
Your password must easily remembered so that you will not
be forced to write it on a piece of paper.
This can be accomplished by appending two small words together
and separating each with a special character or digit.
For example, Pass%word.
.PP
Other methods of construction involve selecting an easily
remembered phrase from literature and selecting the first
or last letter from each.
An example of this is
.IP "" .5i
Ask not for whom the bell tolls.
.PP
which produces
.IP "" .5i
An4wtbt.
.PP
You may be reasonably sure few crackers will have
included this in their dictionary.
.SH CAVEATS
Not all options may be supported.
Password complexity checking may vary from site to site.
The user is urged to select as complex a password as they
feel comfortable with.
A \fB-f\fR option exists to permit the superuser to override
any password complexity testing,
normal users must create passwords which pass the complexity
test.
.SH Files
/etc/passwd \- user account information
.br
/etc/shadow \- encrypted user passwords
.SH See Also
passwd(3),
passwd(4)
SHAR_EOF
fi
if test -f 'passwd.4'
then
	echo shar: "will not over-write existing file 'passwd.4'"
else
cat << \SHAR_EOF > 'passwd.4'
.TH PASSWD 4
.SH NAME
passwd \- The password file
.SH DESCRIPTION
.I passwd
contains various pieces of information for each user account.
Included is
.IP "" .5i
Login name
.IP "" .5i
Optional encrypted password
.IP "" .5i
Numerical user ID
.IP "" .5i
Numerical group ID
.IP "" .5i
User name or comment field
.IP "" .5i
User home directory
.IP "" .5i
User command interpreter
.PP
The password field may not be filled if shadow passwords
have been enabled.
If shadow passwords are being used, the encrypted password will
be found in \fB/etc/shadow\fR.
The encryped password consists of 13 characters from the
64 character alphabet
a thru z, A thru Z, 0 thru 9, \. and /.
Refer to \fIcrypt(3)\fR for details on how this string is
interpreted.
.PP
An optional password age string may follow the encrypted
password, separated by a comma, from the same alphabet
as the password itself.
The first character gives the number of weeks during which the
password is valid.
The second character gives the number of weeks which must pass
before the user is permitted to change the password.
The last two characters give the week since Jan 1970 when the
password was last changed.
When the number of weeks during which the password is valid
have passed, the user will be required to provide a new
password.
.PP
The comment field is used by various system utilities, such as
\fIfinger(1)\fR.
Three additional values may be present in the comment field.
They are
.IP "" .5i
pri= \- set initial value of nice
.IP "" .5i
umask= \- set initial value of umask
.IP "" .5i
ulimit= \- set initial value of ulimit
.PP
These fields are separated from each other and from any other
comment field by a comma.
.PP
The home directory field provides the name of the initial
working directory.
\fILogin\fR uses this information to set the value of
the \fBHOME\fR environmental variable.
.PP
The command interpreter field provides the name of the user's
command language interpreter, or the name of the initial program
to execute.
\fILogin\fR uses this information to set the value of the
\fBSHELL\fR environmental variable.
If this field is empty, it defaults to the value \fB/bin/sh\fR.
.SH Files
/etc/passwd \- user account information
.SH See Also
login(1),
passwd(1),
su(1),
sulogin(1M),
shadow(4),
pwconv(8),
pwunconv(8)
SHAR_EOF
fi
if test -f 'shadow.3'
then
	echo shar: "will not over-write existing file 'shadow.3'"
else
cat << \SHAR_EOF > 'shadow.3'
.TH SHADOW 3
.SH NAME
shadow \- encrypted password file routines
.SH Syntax
.IP "" .5i
#include <shadow.h>
.IP "" .5i
struct spwd *getspent();
.br
struct spwd *getspnam(char * name);
.br
void setspent();
.br
void endspent();
.br
struct spwd *fgetspent(FILE *fp);
.br
int putspent(struct spwd *p,FILE *fp);
.SH DESCRIPTION
.I shadow
manipulates the contents of the shadow password file,
\fB/etc/shadow\fR.
The structure in the \fI#include\fR file is
.IP "" .5i
struct spwd {
.br
	char	*sp_namp; /* user login name */
.br
	char	*sp_pwdp; /* encrypted password */
.br
	long	sp_lstchg; /* last password change */
.br
	int	sp_max; /* days before change required */
.br
	int	sp_min; /* days until change allowed. */
.br
}
.PP
The meanings of each field are
.IP "" .5i
sp_namp \- pointer to null-terminated user name.
.IP "" .5i
sp_pwdp \- pointer to null-terminated password.
.IP "" .5i
sp_lstchg \- days since Jan 1, 1970 password was last changed.
.IP "" .5i
sp_max \- days after which password must be changed
.IP "" .5i
sp_min \- days before which password may not be changed.
.SH Description
\fIgetspent\fR, \fIgetspname\fR, and \fIfgetspent\fR each return
a pointer to a \fBstruct spent\fR.
\fIgetspent\fR returns the
next entry from the file, and \fIfgetspent\fR returns the next
entry from the given stream, which is assumed to be a file of
the proper format.
\fIgetspnam\fR searches from the current position in the file for
an entry matching \fIname\fR.
.PP
\fIsetspent\fR and \fIendspent\fR may be used to begin and end,
respectively, access to the shadow password file.
.SH Diagnostics
Routines return NULL if no more entries are available or if an
error occurs during processing.
.SH Caveats
These routines may only be used by the super user as access to
the shadow password file is restricted.
.SH Files
/etc/shadow \- encrypted user passwords
.SH See Also
getpwent(3),
shadow(4)
SHAR_EOF
fi
if test -f 'shadow.4'
then
	echo shar: "will not over-write existing file 'shadow.4'"
else
cat << \SHAR_EOF > 'shadow.4'
.TH SHADOW 4
.SH NAME
shadow \- encrypted password file
.SH DESCRIPTION
.I shadow
contains the encrypted password information for user's accounts
and optional the password aging information.
Included is
.IP "" .5i
Login name
.IP "" .5i
Encrypted password
.IP "" .5i
Date password last changed
.IP "" .5i
Days before password may be changed
.IP "" .5i
Days after which password must be changed
.PP
The password field must be filled.
The encryped password consists of 13 characters from the
64 character alphabet
a thru z, A thru Z, 0 thru 9, \. and /.
Refer to \fIcrypt(3)\fR for details on how this string is
interpreted.
.PP
The date of the last password change is given as the number
of days since Jan 1, 1970.
The password may not be changed again until the proper number
of days have passed, and must be changed after the maximum
number of days.
If the minimum number of days required is greater than the
maximum number of day allowed, this password may not be
changed by the user.
.PP
This information supercedes any password or password age
information present in \fB/etc/passwd\fR.
.PP
This file must not be readable by regular users if password
security is to be maintained.
.SH Files
/etc/passwd \- user account information
.br
/etc/shadow \- encrypted user passwords
.SH See Also
login(1),
passwd(1),
su(1),
sulogin(1M),
passwd(4),
pwconv(8),
pwunconv(8)
SHAR_EOF
fi
if test -f 'su.1'
then
	echo shar: "will not over-write existing file 'su.1'"
else
cat << \SHAR_EOF > 'su.1'
.TH SU 1
.SH NAME
su \- Change user ID or become super-user
.SH SYNOPSIS
.B su
[ - ] [ username [ args ] ]
.SH DESCRIPTION
.I su
is used to become another user during a login session.
Invoked without a username, \fIsu\fR defaults to becoming
the super user.
The optional argument \fB\-\fR may be used to provide an
environment similiar to what the user would expect had
the user logged in directly.
.PP
Additional arguments may be provided after the username,
in which case they are supplied to the user\'s login shell.
In particular, an argument of \fB-c\fR will cause the
next argument to be treated as a command by most command
interpreters.
The command will be executed under the shell specified by
\fB$SHELL\fR, or if undefined, by the one specified in
\fI/etc/passwd\fR.
.PP
The user will be prompted for a password, if appropriate.
Invalid passwords will produce an error message.
All attempts, both valid and invalid, are logged to detect
abuses of the system.
.PP
The current environment is passed to the new shell.
The value of \fB$PATH\fR is reset to \fB/bin:/usr/bin\fR
for normal users, or \fB/bin:/usr/bin:/etc\fR for the super user.
.SH CAVEATS
.PP
This version of \fIsu\fR has many compilation options, only some of which
may be in use at any particular site.
.SH Files
/etc/passwd \- user account information
.br
/etc/shadow \- encrypted passwords and age information
.br
$HOME/.profile \- initialization script for default shell
.SH See Also
login(1),
sh(1)
SHAR_EOF
fi
if test -f 'sulogin.8'
then
	echo shar: "will not over-write existing file 'sulogin.8'"
else
cat << \SHAR_EOF > 'sulogin.8'
.TH SULOGIN 8
.SH NAME
sulogin \- Single-user login
.SH DESCRIPTION
.I sulogin
is invoked by \fB/etc/init\fR prior to allowing the user
access to the system when in single user mode.
This feature may only be available on certain systems where
\fIinit\fR has been modified accordingly, or where the
\fB/etc/inittab\fR has an entry for a single user login.
.PP
The user is prompted
.IP "" .5i
Type control-d for normal startup,
.br
(or give root password for system maintenance):
.PP
If the user enters the correct root password, a login session
is initiated.
When \fBEOF\fR is pressed instead, the system enters multi-user
mode.
.PP
After the user exits the single-user shell, or presses \fBEOF\fR,
the system begins the initialization process required to enter
multi-user mode.
.SH CAVEATS
.PP
This command can only be used if \fIinit\fR has been modified to call
\fB/etc/sulogin\fR instead of \fB/bin/sh\fR,
or if the user has set the \fIinittab\fR to support a single user
login.
.PP
As complete an environment as possible is created.
However, various devices may be unmounted or uninitialized and many 
of the user commands may be unavailable or nonfunctional as a result.
.SH Files
/etc/passwd \- user account information
.br
/etc/shadow \- encrypted passwords and age information
.br
/.profile \- initialization script for single user shell
.SH See Also
login(1),
init(1M),
sh(1)
SHAR_EOF
fi
if test -f 'pwconv.8'
then
	echo shar: "will not over-write existing file 'pwconv.8'"
else
cat << \SHAR_EOF > 'pwconv.8'
.TH PWCONV 8
.SH NAME
pwconv \- convert and update shadow password files
.SH SYNOPSIS
/etc/pwconv
.SH DESCRIPTION
\fIPwconv\fR copies the old password file information to a new shadow
password file,
merging entries from an optional existing shadow file.
The new password file is left in \fBnpasswd\fR,
the new shadow file is left in \fBnshadow\fR.
Both of these are files are created with modes which only permit
read access to the owner.
Existing shadow entries are copied as is.
New entries are created with passwords which expire in 10000 days,
with a last changed date of today,
unless password aging information was already present.
Entries with blank passwords are not copied to the shadow file at all.
.SH Files
/etc/passwd \- old encrypted passwords and password aging
.br
/etc/shadow \- previously converted shadow password file
.br
./npasswd \- new password file
.br
./nshadow \- new shadow password file
.SH See Also
passwd(1),
passwd(4),
shadow(4),
pwunconv(8)
SHAR_EOF
fi
if test -f 'pwunconv.8'
then
	echo shar: "will not over-write existing file 'pwunconv.8'"
else
cat << \SHAR_EOF > 'pwunconv.8'
.TH PWUNCONV 8
.SH NAME
pwunconv \- restore old password file from shadow password file
.SH SYNOPSIS
/etc/pwunconv
.SH DESCRIPTION
\fIPwunconv\fR copies the password file information from the shadow
password file,
merging entries from an optional existing shadow file.
The new password file is left in \fBnpasswd\fR.
This file is created with modes which allow read access for
the owner only.
There is no new shadow file.
Password aging information is translated where possible.
.SH Files
/etc/passwd \- old encrypted passwords and password aging
.br
/etc/shadow \- previously converted shadow password file
.br
./npasswd \- new password file
.SH See Also
passwd(1),
passwd(4),
shadow(4),
pwconv(8)
SHAR_EOF
fi
if test -f 'faillog.8'
then
	echo shar: "will not over-write existing file 'faillog.8'"
else
cat << \SHAR_EOF > 'faillog.8'
.TH FAILLOG 8
.SH NAME
faillog \- examine faillog and set login failure limits
.SH SYNOPSIS
/etc/faillog [ -u uid ] [ -t days ] [ -m max ] [ -pr ] 
.SH DESCRIPTION
\fIPlastlog\fR formats the contents of the failure log,
\fI/usr/adm/faillog\fR, and maintains failure counts and
limits.
The order of the arguments to \fIfaillog\fR is significant.
Each argument is processed immediately in the order given.
.PP
The \fB-p\fR flag causes failure entries to be printed in UID
order.
Entering \fB-u login-name\fR flag will
cause the failure record for \fBlogin-name\fR only to be printed.
Entering \fB-t days\fR will cause only the
failures more recent than \fBdays\fR to be printed.
The \fB-t\fR flag overrides the use of \fB-u\fR.
.PP
The \fB-r\fR flag is used to reset the count of login failures.
Write access to \fI/usr/adm/faillog\fR is required for
this option.
Entering \fB-u login-name\fR will cause only the failure count
for \fBlogin-name\fR to be reset.
.PP
The \fB-m\fR flag is used to set the maximum number of login
failures before the account is disabled.
Write access to \fB/usr/adm/faillog\fR is required for this
option.
Entering \fB-m max\fR will cause all accounts to be disabled
after \fBmax\fR failed logins occur.
This may be modified with \fB-u login-name\fR to limit this
function to \fBlogin-name\fR only.
Selecting a \fBmax\fR value of 0 has the effect of not placing
a limit on the number of failed logins.
The maximum failure count
should always be 0 for \fBroot\fR to prevent
a denial of services attack against the system.
.PP
Options may be combined in virtually any fashion.
Each \fB-p\fR, \fB-r\fR, and \fB-m\fR option will cause
immediate execution using any \fB-u\fR or \fB-t\fR modifier.
.SH Files
/usr/adm/faillog \- failure logging file
.SH See Also
login(1),
faillog(4)
SHAR_EOF
fi
if test -f 'faillog.4'
then
	echo shar: "will not over-write existing file 'faillog.4'"
else
cat << \SHAR_EOF > 'faillog.4'
.TH FAILLOG 4
.SH NAME
faillog \- Login failure logging file
.SH DESCRIPTION
.I faillog
maintains a count of login failures and the limits for each account.
The file is fixed length record, indexed by numerical UID.
Each record contains the count of login failures since the last
successful login;
the maximum number of failures before the account is disabled;
the line the last login failure occured on;
and the date the last login failure occured.
.PP
The structure of the file is
.DS

        struct	faillog {
                short   fail_cnt;
                short   fail_max;
                char    fail_line[12];
                time_t  fail_time;
        };

.DE
.SH Files
/usr/adm/faillog \- login failure log
.SH See Also
faillog(8)
SHAR_EOF
fi
exit 0
#	End of shell archive
-- 
John F. Haugh II                        +-Button of the Week Club:-------------
VoiceNet: (512) 832-8832   Data: -8835  | "AIX is a three letter word,
InterNet: jfh at rpp386.Cactus.Org         |  and it's BLUE."
UucpNet : <backbone>!bigtex!rpp386!jfh  +--------------------------------------



More information about the Alt.sources mailing list