This is the README for Password_Check.1.0.NIHS.bs.tar.gz [Download] [Browse] [Up]
[ 31 Jul 1997: compile quad-fat by TjL <luomat+next@luomat.peak.org> ] The ability to boot a UNIX system in single-user mode is a security concern, since single-user mode provides a root shell without requiring a password. A solution is to force a password to be supplied by the user before /bin/sh starts in single user mode . This can be accomplished by running a password checking program in the shell's startup file for root, /.profile. This directory contains a sample password checking program called pw_check, and a sample /.profile that runs the pw_check program to ask for a root password. The program allows 3 attempts, then halts the processor if the correct password isn't entered. NOTE: NetInfo is not running in UNIX single user mode, so the password must be set in /etc/passwd. This directory also contains a makefile for the "make" utility, that will automatically install the pw_check program, the /.profile, and will protect your /etc/rc.boot file so that the startup sequence cannot be interrupted from the keyboard. To install the pw_check program, the /.profile file, update your rc.boot file, and place your local NetInfo domain's root password in the /etc/password file automatically, start a root UNIX shell, change to this directory, and type "make". I.e.: # cd <<this directory>> # make If installed automatically with "make", a backup copy of /etc/passwd will be placed in /etc/passwd.orig, a backup copy of /etc/rc.boot will be placed in /etc/rc.boot.orig, and a backup copy of /.profile will be placed in /.profile.orig. To install these changes manually follow these steps: Compile the pw_check program with the command: cc -o pw_check pw_check.c Edit /.profile, and insert the following line as close as possible to the beginning of the file. If you want correct tty setup, place this line just after "stty erase "^?" intr "^C" kill "^U" -decctlq". <<name of directory>>/pw_check root You may use another user account instead of root. "root" is assumed if no user name is given on the command-line. Edit your /etc/rc.boot file, and add the following as the second line: trap "" 2 3 This will prevent the rc.boot file from being interrupted during startup, which would circumvent the shell running /.profile. Finally, you must set the password for the user root (or whichever user account you gave as an option to pw_check). You can use nidump to generate a /etc/password format file from NetInfo and replace the appropriate line in your /etc/passwd file. Disclaimer: This system has been tested for security holes, and appears to resist concerted efforts to defeat it. However, NeXT Computer Inc. disclaims any warranty of any kind, expressed or implied, as to its fitness for any particular use. Comments, questions, or problem reports may be sent to the author: Marc Majka <majka@next.com> NeXT Computer Inc. 900 Chesapeake Drive Redwood City CA 94063
These are the contents of the former NiCE NeXT User Group NeXTSTEP/OpenStep software archive, currently hosted by Netfuture.ch.