d_passwd(4)
d_passwd, dialups --
secondary security access password
Synopsis
/etc/dialups
/etc/d_passwd
Description
You may create these files to prompt for a secondary security
access password when users log into the system. This feature is
useful, for example, for extra security on non-hardwired terminal
lines, such as dialup lines. You use these
files to select which tty lines will prompt for the password. You
also specify the specific secondary passwords for each type of service
(e.g. /usr/bin/sh).
/etc/dialups
This file contains a list of tty names, one per line. Users
logging into the system on these lines will be prompted for a
secondary password. Users logging into the system on lines not
listed in this file will not be prompted for a secondary password.
For example, a typical file might look like:
/dev/tty00
/dev/tty00h
/dev/tty00s
/dev/tty01
/dev/tty01s
/dev/tty01h
/etc/d_passwd
This file contains a list of entries, one per line.
Each entry
contains the name of an executable, followed by a colon, the
encrypted password, and another colon.
The executables listed
should include the typical services used over the passworded
lines, such as user login shells (e.g.,
/usr/bin/sh,/sbin/sh, /usr/bin/ksh), or
UUCP (e.g. /usr/lib/uucp/uucico).
When a login attempt is made over a passworded line,
/etc/d_passwd is checked for an entry matching the
executable used as a login shell for the attempt. If the
executable is listed, the system prompts for the associated
secondary password. If an entry exists, but the password field is
empty, no prompting will occur. If an entry does not exist, the
password for /usr/bin/sh is used instead, assuming an entry
for /usr/bin/sh exists.
For example, a typical file might look like:
/usr/bin/sh:DFg6HWq28Ut0w:
/usr/lib/uucp/uucico::
/sbin/sh:QXg3Fv83LbOO1x:
In this case, users logging in using either /usr/bin/sh or
/usr/sbin/sh as their login shell will be prompted for a
secondary password.
Other systems logging in using UUCP for file transfer will not be
prompted for a secondary password. All other logins using some
other login shell not listed will be prompted for the same
secondary password as for
/usr/bin/sh.
Creating secondary passwords
You can use
makekey(1)
to construct an encrypted password.
This command is included as part of the Encryption Utilities.
You need to provide a password string of eight characters,
concatenated with two more digits or letters to act as a salt for the
encryption process. For example, given a password of abigbear
and a salt of ZZ, you would enter the following:
echo abigbearZZ | /usr/lib/makekey; echo
The system would respond with the encrypted password string,
ZZPy2BRoodXhc. You place this string in the password field
of the /etc/d_passwd entry for the shell you wish to have
abigbear as the secondary password.
Files
/etc/passwd-
/etc/shadow-
References
login(1),
makekey(1),
passwd(4),
useradd(1M),
usermod(1M)
Notices
The files
/etc/dialups and
/etc/d_passwd
initially do not exist on your system. You must create and
populate them. Take care to protect them so unauthorized users
cannot alter or delete them. The file should be owned by user
root and group sys, with write permission for the file
owner only.
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004