login: PAM-only, login.defs, -H

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 I did some changes to login(1) in last weeks. The goal is to have one PAM-only
 login(1) for all mainstream distributions. 

 The code is based on the original util-linux login(1) and pam_login-4.0
 package from Suse.

 Git tree: https://karelzak@xxxxxxxxxx/karelzak/util-linux.git branch 'login'.
 URL: https://github.com/karelzak/util-linux/tree/login

 Changes:

 - remove kerberos specific code
 - remove non-PAM code
 - remove checktty stuff
 - remove ugly macros (e.g. PAM_END)
 - add syslog LOG_ERR on failed tty ch{mod,own} (based on Suse version)
 - move all important/global variables to 'struct login_context'
 - indent to Linux coding style
 - use xalloc.h functions
 - lastlog, utmp, btmp, audit and syslog code refactoring

 - don't log unknown usernames to system log files (may be a security issue if
   an user enter her password instead of her login name) -- controlled by
   LOG_UNKFAIL_ENAB login.defs variable

 - support /etc/login.defs, supported variables:

     name               default
     ------------------------------
     DEFAULT_HOME       yes (means chdir("/") if pwd->pw_dir does not exist)  
     ENV_PATH           "/usr/local/bin:/bin:/usr/bin"
     ENV_{ROOT,SU}PATH  "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
     FAIL_DELAY		5s
     HUSHLOGIN_FILE     /etc/hushlogins and ~/.hushlog
     LOGIN_TIMEOUT      60s
     LOG_UNKFAIL_ENAB	yes
     MOTD_FILE          /etc/motd
     TTYGROUP           'tty' (otherwise pwd->pw_gid is used)
     TTYPERM            0620 (or 0600 for --disable-use-tty-group)
    
   Note that Suse version does not use any defaults for *_FILE and TTYGROUP.

 - print hostname in the login prompt, for example:

     "foo login: "

   Note that Suse version uses hostname with domain (e.g. foo.example.com), our
   goal is to be compatible with the default agetty behavior. 
  
 - add new -H option to suppress hostname in the login prompt (already in Suse
   version)
   
 - call setgroups(0, NULL) rather than initgroups() for root user
   (this avoids the need to step through the whole group file, which can cause
    problems if NIS, NIS+, LDAP or something similar is used and the machine 
    has network problems)

 - improve hushed mode (moslty based on Suse version)
   * accepts HUSHLOGIN_FILE from /etc/login.defs
   * empty /etc/hushlogins file enables hushed mode for all accounts
     (this new feature is necessary if you want to use PAM for motd and last 
      login messages)

 Comments?

    Karel

-- 
 Karel Zak  <kzak@xxxxxxxxxx>
 http://karelzak.blogspot.com
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux