callback security
Gert Doering (gert@greenie.muc.de)
Wed, 30 Jun 1999 21:22:23 +0200
hi,
On Wed, Jun 30, 1999 at 01:33:27PM +0200, Peter Lindstrøm wrote:
> it works fine except the line
> callback N - - /bin/login @
> should be changed to
> callback N - - /usr/local/sbin/callback -S
> 1234567890
Uh, yes. Interesting, this. Ah, I think the trick is that he had
a user "callback" on his system, that required a password, and then the
actuall callback command was set as user shell. Or something like this.
Thanks for pointing this out, I'll clarify this in my docs.
gert
>
> Peter Lindstrøm
> pel@kruger.dk
>
> Gert Doering wrote:
> >
> > Hi,
> >
> > On Tue, Jun 29, 1999 at 04:13:31PM +0200, Peter Lindstrøm wrote:
> > > I am using RedHat 5.2 with mgetty: experimental test release
> > > 1.1.14-Apr02.
> > >
> > > My problem is that I would like to only let user login using callback.
> > > eg no direct logins.
> > >
> > > my login.config contains
> > > xxxx-cb - @ /usr/sbin/callback -S 1234567890
> > > * - - /bin/false
> >
> > Use 1.1.20, "version 2" login.config files, and follow the instructions in
> > the following mailing list article...
> >
> > gert
> > ----------- snip ----------
> > From gert@greenie.muc.de Mon Feb 22 08:35:40 1999
> > Message-ID: <19990222083540.G1089@greenie.muc.de>
> > Date: Mon, 22 Feb 1999 08:35:40 +0100
> > From: Gert Doering <gert@greenie.muc.de>
> > To: Pang Wai Man Raymond <wmpang@se.cuhk.edu.hk>, mgetty@muc.de
> > Subject: Re: Restrict login through callback, not dial-in by mgetty?
> > References: <19990222105324.56820@se.cuhk.edu.hk>
> > X-mgetty-docs: http://alpha.greenie.net/mgetty/
> >
> > Hi,
> >
> > On Mon, Feb 22, 1999 at 10:53:24AM +0800, Pang Wai Man Raymond wrote:
> > > Requirement
> > > ===========
> > > Without using the dialback modem,
> > > 1. a dummy account with password, can initiate the callback
> > > 2. users can only login through callback, but not dial-in.
> > >
> > > I can implement step 1 but not 2. Does anybody have alternative?
> >
> > Set up login.config like this:
> >
> > ------- login.config sample, file version 2 ----------
> > # login.config
> > #
> > # use version-2 format
> > !version 2
> > #
> > #
> > # this is the dummy user name, it's allowed to login only if this
> > # is not already an ongoing callback
> > callback N - - /bin/login @
> > #
> > # these are the real users: only allowed if it's a callback ("Y")
> > * Y - - /bin/login @
> > #
> > # if some other user name was entered, and it's not a callback,
> > # throw them out
> > * - - - /bin/false
> > ------- login.config sample, file version 2 ----------
> >
> > I admit that the "version 2" stuff isn't documented anywhere yet (except
> > the source) and it hasn't been fully tested either. So please get mgetty
> > 1.1.20, test it, and report back to us :)
> >
> > gert
> > --
> > USENET is *not* the non-clickable part of WWW!
> > //www.muc.de/~gert/
> > Gert Doering - Munich, Germany gert@greenie.muc.de
> > fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
> >
> > --
> > USENET is *not* the non-clickable part of WWW!
> > //www.muc.de/~gert/
> > Gert Doering - Munich, Germany gert@greenie.muc.de
> > fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
> >
> > -
> > Posted automagically by a mail2news gateway at muc.de e.V.
> > Please direct questions, flames, donations, etc. to admin@newsgate.muc.de
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de