getty, login and a trivia

[Matt Goheen]

We have a little fake login program that sits between getty and the
real login program that requires a non-trivial (i.e. not your typical
user) password (things like "jkdKP0qa", "9iwKJcx3", etc.) when you
log in from a dial up line.  This keeps us from having to be password
police unless people want to dial into the system.

The problem is that we would like to set up one account that doesn't
need this "dail up password".  It would be a restriced shell account
for doing some limited tasks.  Currently, our fake login program
simply prompts for a user name (that is doesn't really use, except
to pass on to the real "login") and the dial up password.  It then
execs "/bin/login username" and off you go.  My first attempt at
side stepping this was to not prompt for the dial up password if
the user name given was the one that didn't require a dial up
password.  The problem with that is that once the real login is
called, you can simply enter an invalid password for the no dial
up password user and proceed to attempt to login as who ever you
wish (you still need their password, but you've side stepped the
login password).

Anyone see an EASY fix for this.  It would be nice if login would
just quit if the first password given were incorrect.

While snooping around, I found a couple of interresting things about
login and getty that (at least) I didn't know.  In getty, there is
a string "Amnesiac" -- anyone know what that's for?  In login, there
are a couple of apparent undocumented options, "-h" and "-r".  I
can't seem to get "-h" to do anything, but a "/bin/login -r" does
some strange things (no prompts, and an error message that reads
"remuser too long" after about 8 characters on stdin).

BTW, this is on a Sun running 3.2 (and 3.4), and I have NO UNIX
SOURCE LICENSE..

-- 
- uucp:		{rutgers,ames}!rochester!srs!matt	Matt Goheen 	-
- internet:	matt at srs.uucp OR matt%srs.uucp at harvard.harvard.edu	-
- 	"We had some good machines, but they don't work no more."	-