Date: Sun, 14 Jul 1996 09:49:38 -0700 From: Sean Eric Fagan <sef@kithrup.com> To: nate@mt.sri.com Cc: hackers@freebsd.org Subject: Re: "login classes" Message-ID: <199607141649.JAA11161@kithrup.com>
index | next in thread | raw e-mail
>Do you have a better description of them other than 'allowing you to use
>separate authention'? It seems I've heard lots of folks 'wish' for them
>in different contexts, so I'm not exactly sure *what* they do at any
>level, other than they can do many things. :)
Sure.
At the basest, it is not a whole lot more than "allowing you to use seperate
authentication."
The passwd file has a currently-unused field, "class". Let's say that I had
sef:encryptedpasswd:12:10:staff:0:0:Sean Eric Fagan,,,:/var/users/sef:/bin/tcsh
nate:foobar:12:10:guest:0:0:Nate Williams,,,:/var/users/nate:/bin/tcsh
in my master.passwd file. (Incidently, CSRG should have allowed the class
field to be in the passwd file, not just the master.passwd file.)
Now, further, let's say that in /etc/login.conf, I had:
guest:\
:auth=passwd,skey,kerberos:\
:auth-skey=skey:\
:cputime=1h3m2s:\
:coredumpsize=1024:\
:auth-passwd=passwd,skey:\
:path=/bin /usr/bin ~/bin
staff:\
:auth=passwd,skey:\
:cputime=infinity:\
:coredumpsize=infinity:\
:path=/bin /sbin /usr/bin /usr/sbin ~/bin
When either of us logged in, we would have certain limits set according to
those two decriptions above: you would have only 1h3m2s of CPU time, and
could only dump a 1k core file; I, however, could use as much CPU time as I
wanted, and dump core files as large as my disk space.
Note also that "auth=" lines. Those are different authentication styles.
These can be specified to login by adding a :<style> to the user name when
you log in, or each tty can have a prefered style as well. Also, in BSD/OS,
things like ftp use an "ftp" style of authentication, which may be different
than normal logins.
The styles are used by having a login-type program (e.g., login, ftpd,
rexecd, whatever) do:
execl("/usr/libexec/auth_<style>", "<style>", "<name>", "<class>", 0);
There is a documented interface for this -- the auth program writes on file
descriptor 3, and says things like, "rejected" or "authorized" or similar
things.
The whole concept is useful for adding alternate ways for people to log in,
without modifying any of the utilities, as well as easily putting limits on
certain accounts.
Sean.
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607141649.JAA11161>