UUCP on A/UX

Thad P Floryan thad at cup.portal.com
Wed Oct 31 19:02:38 AEST 1990 

rmtodd at servalan.uucp (Richard Todd) in <1990Oct31.023133.10127 at servalan.uucp>
writes:

	That'd be a really neat trick, since A/UX UUCP doesn't *have* a
	Permissions file ...

	That said, I'd definitely suspect some problem with the permissions
	setup and config file somewhere.  Make sure that the L.sys file is
	readable by UUCP (and no one else) and has the proper system name in
	it and that the USERFILE looks reasonable ...
 
	>An excellent reference for managing UUCP is found in "Managing uucp and
	>Usenet" (O'Reilly, T, and Todino, G.; 1990 O'Reilly and Associates).

	Agreed.  Don't even think of administering a UUCP setup without a copy
	of this book.

True.  I don't want to sound smug, but it really took all of about 2 minutes
to setup A/UX UUCP's config files.  As a starter (assuming you've all the
system entries in L.sys (and/or Systems), your /usr/lib/uucp/USERFILE should
look something like:

, /
uucp, /
nuucp, /
root, /

>From that point, you can (using the info in the O'Reilly book) proceed to
establish more stringent security if desired.  I've uucp'd to/from A/UX
using both V2 and HDB uucp without any problems.

Hmmm, someone references a 1990 edition of the O'Reilly book.  The older
edition(s) lack a LOT of setup for HDB (e.g. multiple Systems files and
other services, use of CLOCAL, etc.) but that doesn't affect UUCP operation
under A/UX.

If you're really security conscious, you can also enable dialup password
protection (yeah, it works in A/UX 2.0) using a management program that was
posted to Usenet a year or so ago.  AT&T flatly refuses to document this
feature and, at the SVR4 developers' conference, indicated again their refusal
to "officially" support the feature even though it's been in /bin/login for a
l-o-n-g while (do a "strings" on it to see the hints and clues :-).

Surprising (to me), I only had to recompile the program on A/UX and everything
worked right off.  To give you an idea of what I mean, following is an excerpt
from dpasswd's README; the program itself is available (source, natch!) at
osu-cis (aka cheops.cis.ohio-state.edu, IP 128.146.8.62) and I've tested it
with SVR2, SVR3.* and SVR4.  The program is by Lenny Tropiano and was initially
on the 3B1/UNIXPC (for those wondering why the tty line numbers are so high
(up to 255 supported) and what /dev/ph0 and /dev/ph1 are (built-in phone lines
for the built-in modem)):

``
For those who are unsure what I'm talking about, here's a brief explanation.
/bin/login will look in a file called /etc/dialups for tty devices that
are to be declared as "dialups".  The format of the file is /dev/tty names
terminated by newline.   If the login tty is found in /etc/dialups, it will
then go to /etc/d_passwd, and look for your "login-default shell" in there.
The format of this file is:

	login_default_shell_path:encrypted_passwd:

If your shell is there, it will then prompt you for "Dialup Password:" after
you enter your initial password correctly.  If you enter the dialup password
incorrectly, you will be denied login.
 
What you can do with this, is allow everything but /bin/sh, and /bin/ksh to
get in without a secondary passwords.  (This will prevent having to give
people with uucp logins another password -- you can give them one, if you
so desire with login shell /usr/lib/uucp/uucico).

Sample files are as follows:

/etc/dialups:
-------------
/dev/tty000
/dev/ph1

/etc/d_passwd:
--------------
/bin/sh:xeH0weIpa941Q:
/bin/ksh:UeH0wlIpW0gyQ:

Usage:  dpasswd [-v] [-d] -p program -t terminal

-v		turn verbose on
-d		delete restriction
-p program	add (or delete) restriction for program (use full pathname)
-t terminal	add (or delete) restriction for terminal (don't use "/dev/")

eg.

# dpasswd -t tty001 -p /bin/sh
# dpasswd -t /dev/ph1
# dpasswd -p /bin/ksh

# dpasswd -v -t tty001
dpasswd: Dialup terminal restriction added for /dev/tty001.

# dpasswd -v -t tty001
dpasswd: Terminal /dev/tty001 already found in /etc/dialups.

# dpasswd -v -t ph1 -p /bin/ksh
New Dialup Password:
Retype Dialup Password:
dpasswd: Dialup terminal restriction added for /dev/ph1.
dpasswd: Dialup program restriction added for /bin/ksh.

# dpasswd -v -d -t ph1 -p /bin/ksh
dpasswd: Dialup terminal restriction removed for /dev/ph1.
dpasswd: Dialup program restriction removed for /bin/ksh.

Appropriate diagnostics will be given for all cases (hopefully).

''


Thad Floryan [ thad at cup.portal.com (OR) ..!sun!portal!cup.portal.com!thad ]

More information about the Comp.unix.aux mailing list