d_passwd(4)

d_passwd, dialups -- secondary security access password

Synopsis

   /etc/dialups
   /etc/d_passwd

Description

You may create these files to prompt for a secondary security access password when users log into the system. This feature is useful, for example, for extra security on non-hardwired terminal lines, such as dialup lines. You use these files to select which tty lines will prompt for the password. You also specify the specific secondary passwords for each type of service (e.g. /usr/bin/sh).

/etc/dialups

This file contains a list of tty names, one per line. Users logging into the system on these lines will be prompted for a secondary password. Users logging into the system on lines not listed in this file will not be prompted for a secondary password. For example, a typical file might look like:

   /dev/tty00
   /dev/tty00h
   /dev/tty00s
   /dev/tty01
   /dev/tty01s
   /dev/tty01h

/etc/d_passwd

This file contains a list of entries, one per line. Each entry contains the name of an executable, followed by a colon, the encrypted password, and another colon. The executables listed should include the typical services used over the passworded lines, such as user login shells (e.g., /usr/bin/sh,/sbin/sh, /usr/bin/ksh), or UUCP (e.g. /usr/lib/uucp/uucico).

When a login attempt is made over a passworded line, /etc/d_passwd is checked for an entry matching the executable used as a login shell for the attempt. If the executable is listed, the system prompts for the associated secondary password. If an entry exists, but the password field is empty, no prompting will occur. If an entry does not exist, the password for /usr/bin/sh is used instead, assuming an entry for /usr/bin/sh exists.

For example, a typical file might look like:

   /usr/bin/sh:DFg6HWq28Ut0w:
   /usr/lib/uucp/uucico::
   /sbin/sh:QXg3Fv83LbOO1x:

In this case, users logging in using either /usr/bin/sh or /usr/sbin/sh as their login shell will be prompted for a secondary password. Other systems logging in using UUCP for file transfer will not be prompted for a secondary password. All other logins using some other login shell not listed will be prompted for the same secondary password as for /usr/bin/sh.

Creating secondary passwords

You can use makekey(1) to construct an encrypted password. This command is included as part of the Encryption Utilities. You need to provide a password string of eight characters, concatenated with two more digits or letters to act as a salt for the encryption process. For example, given a password of abigbear and a salt of ZZ, you would enter the following:

   echo abigbearZZ | /usr/lib/makekey; echo

The system would respond with the encrypted password string, ZZPy2BRoodXhc. You place this string in the password field of the /etc/d_passwd entry for the shell you wish to have abigbear as the secondary password.

Files

/etc/passwd
/etc/shadow

References

login(1), makekey(1), passwd(4), useradd(1M), usermod(1M)

Notices

The files /etc/dialups and /etc/d_passwd initially do not exist on your system. You must create and populate them. Take care to protect them so unauthorized users cannot alter or delete them. The file should be owned by user root and group sys, with write permission for the file owner only.