tech-misc: Re: Login classes

Subject: Re: Login classes
To: None <alaric@alaric-williams.com>
From: Peter Seebach <seebs@plethora.net>
List: tech-misc
Date: 06/14/2000 12:41:15
In message <Pine.NEB.4.10.10006141712230.3080-100000@love.warhead.org.uk>, alar
ic@alaric-williams.com writes:
>On Wed, 14 Jun 2000, Peter Seebach wrote:
>> I'd love to see the BSD Authentication code fully functional, and I don't
>> think that's happened yet.

>I'm something of a security freak. Which authentication code are you
>referring to? crypt() works fine for me :-)

BSD Authentication is the BSD/OS authentication system.  Basically, it's
a login.conf extension that lets you specify authentication methods per
login class.  You then have programs with names like
"/usr/libexec/login_passwd" which handle authentication.  "login_passwd"
is the "traditional" Unix password scheme.  There's also "login_krb_or_pwd",
which tries to do either Kerberos or regular passwords.  So, on my NetBSD
box, if I have Kerberos running, I do
	$ su
	Kerberos Password: [must type kerberos password here, or...]
	Password:

On BSD/OS, I get:
	$ su
	Password: [either password works]
by default.

The authentication scripts are all documented in the code that BSDI released,
but the actual code for them hasn't been given out.

BSD Authentication has been accused of being "like PAM", but I think it's
better.  It has the substantial win that you can, *if you want*, make an
authentication program setuid, so that non-setuid programs can check an
authentication that would require setuid privs.  This allows you to isolate
the setuid code.  You don't have to do this, of course, but you're allowed,
and that's a feature.  It's also nice in that you can write scripts like
	#!/bin/sh
	case `date +%H` in
	09|1[0-6])	exec login_passwd;;
	*)		echo >&3 "reject"
			exit 1
			;;
	esac
and *poof*, you have a script that allows logins only during business hours.
You save that script as /usr/libexec/login_business, and then you can create
a login class "ninetofive" like:
	ninetofive:\
		:tc=default:\
		:auth=business:

If you wanted them to be able to ftp in at all hours, but only log in normally
from nine to five, you might write
		:auth=business:auth-ftp=passwd:

I may have gotten the exact details wrong, but I believe I forwarded a copy
of the relevant docs to someone a while back.  Most of the code involved is
available and redistributable, but the actual login_foo programs aren't,
and I think /usr/bin/login and /usr/bin/su aren't either.

-s