d_passwd(4) d_passwd(4)
NAME
d_passwd, dialups - secondary security access password
SYNOPSIS
/etc/dialups
/etc/d_passwd
DESCRIPTION
You may create these files to prompt for a secondary security
access password when users log into the system. This feature
is useful, for example, for extra security on non-hardwired
terminal lines, such as dialup lines. You use these files to
select which tty lines will prompt for the password. You also
specify the specific secondary passwords for each type of
service (e.g. /usr/bin/sh).
/etc/dialups
This file contains a list of tty names, one per line. Users
logging into the system on these lines will be prompted for a
secondary password. Users logging into the system on lines not
listed in this file will not be prompted for a secondary
password. For example, a typical file might look like:
/dev/tty00
/dev/tty00h
/dev/tty00s
/dev/tty01
/dev/tty01s
/dev/tty01h
/etc/d_passwd
This file contains a list of entries, one per line. Each
entry contains the name of an executable, followed by a colon,
the encrypted password, and another colon. The executables
listed should include the typical services used over the
passworded lines, such as user login shells (e.g.,
/usr/bin/sh,/sbin/sh, /usr/bin/ksh), or UUCP (e.g.
/usr/lib/uucp/uucico).
When a login attempt is made over a passworded line,
/etc/d_passwd is checked for an entry matching the executable
used as a login shell for the attempt. If the executable is
listed, the system prompts for the associated secondary
password. If an entry exists, but the password field is empty,
no prompting will occur. If an entry does not exist, the
password for /usr/bin/sh is used instead, assuming an entry
Copyright 1994 Novell, Inc. Page 1
d_passwd(4) d_passwd(4)
for /usr/bin/sh exists.
For example, a typical file might look like:
/usr/bin/sh:DFg6HWq28Ut0w:
/usr/lib/uucp/uucico::
/sbin/sh:QXg3Fv83LbOO1x:
In this case, users logging in using either /usr/bin/sh or
/usr/sbin/sh as their login shell will be prompted for a
secondary password. Other systems logging in using UUCP for
file transfer will not be prompted for a secondary password.
All other logins using some other login shell not listed will
be prompted for the same secondary password as for
/usr/bin/sh.
Creating Secondary Passwords
You can use makekey(1) to construct an encrypted password.
This command is included as part of the Encryption Utilities.
You need to provide a password string of eight characters,
concatenated with two more digits or letters to act as a salt
for the encryption process. For example, given a password of
abigbear and a salt of ZZ, you would enter the following:
echo abigbearZZ | /usr/lib/makekey; echo
The system would respond with the encrypted password string,
ZZPy2BRoodXhc. You place this string in the password field of
the /etc/d_passwd entry for the shell you wish to have
abigbear as the secondary password.
Files
/etc/passwd
/etc/shadow
NOTICES
The files /etc/dialups and /etc/d_passwd initially do not
exist on your system. You must create and populate them. Take
care to protect them so unauthorized users cannot alter or
delete them. The file should be owned by user root and group
sys, with write permission for the file owner only.
REFERENCES
login(1), makekey(1), passwd(4), useradd(1M), usermod(1M)
Copyright 1994 Novell, Inc. Page 2