Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!noao!grandi
From: grandi@noao.edu (Steve Grandi)
Newsgroups: comp.unix.wizards
Subject: Re: Unix network security (was "CERT Internet Security Advisory")
Message-ID: <1157@noao.UUCP>
Date: 22 Aug 89 18:25:28 GMT
References: <3855@fy.sei.cmu.edu> <1064@accuvax.nwu.edu> <3942@phri.UUCP>
Reply-To: grandi@noao.edu (Steve Grandi)
Organization: National Optical Astronomy Observatories, Tucson AZ
Lines: 147

In article <3942@phri.UUCP> roy@phri.UUCP (Roy Smith) writes:
>one more idea.  Before allowing a shot at a username/password, require a
>network access password.  The same thing could be done for dial-up access,
>but this is less of a problem.  This password would be picked by the system
>administrator, (theoretically) ensuring that it wasn't an obvious one, like
>lusers tend to pick.  This is not a new idea, but seems to be implemented
>only in very security concious sites; perhaps it should be the default way
>vendors ship their systems.  Multiple failures to get the network access
>password right should be logged in the system security log.
>

Here are patches to the 4.3BSD login.c program implementing a site password
for dialup and network logins.  The feature is activated by putting in a
user named "site" in /etc/passwd.  Hosts listed in /etc/hosts.equiv are not
asked for the site password, nor are UUCP logins.  I have also added better
logging of network and dialup logins and login attempts.


*** login.c.ORIG	Sat Apr 12 16:51:15 1986
--- login.c	Mon Jan  9 09:27:08 1989
***************
*** 39,42 ****
--- 39,43 ----
  #include <grp.h>
  
+ #define UUCICO		"/usr/lib/uucp/uucico"	/* UUCP login shell */
  #define TTYGRPNAME	"tty"		/* name of group to own ttys */
  #define TTYGID(gid)	tty_gid(gid)	/* gid that owns all ttys */
***************
*** 51,54 ****
--- 52,56 ----
  #define	TRUE	-1
  
+ char	site[]	=	"site";
  char	nolog[] =	"/etc/nologin";
  char	qlog[]  =	".hushlogin";
***************
*** 218,222 ****
--- 220,310 ----
  				invalid = TRUE;
  		}
+ 
  		/*
+ 		 * If login is from a dialup or network line then require a
+ 		 * site password.  Make sure it is not an uucp login!
+ 		 * We will explicitly look for trusted hosts here as well.
+ 		 */
+ 		{
+ 			char *ptr, *pp, *type, spass[100];
+ 			char *index();
+ 			struct passwd *spwd;
+ 			FILE *hostf;
+ 			int trusted = -1;
+ 			char ahost[MAXHOSTNAMELEN+1], rhost[MAXHOSTNAMELEN+1];
+ 
+ 			type = stypeof(tty);
+ 
+ 			if (strcmp(type, "network") == 0)
+ 			  {
+ 			  hostf = fopen("/etc/hosts.equiv", "r");
+ 			  /* get remote host name */
+ 			  strcpy(rhost, utmp.ut_host);
+ 			  if (ptr = index(rhost, '.'))	/* truncate name at dot */
+ 				*ptr = '\0';
+ 			  if (usererr != -1)
+ 				trusted = 1;
+ 			  else if ((hostf != NULL) && (hflag == 1  || rflag == 1))
+ 				{
+ 				/* cycle through hosts in /etc/hosts.equiv */
+ 				while (fgets(ahost, sizeof(ahost), hostf))
+ 				  {
+ 				  if (ptr = index(ahost, '\n'))	/* nuke newline */
+ 					*ptr = '\0';
+ 				  if (ptr = index(ahost, ' '))	/* only look at first entry */
+ 					*ptr = '\0';
+ 				  if (ptr = index(ahost, '.'))	/* truncate at dot */
+ 					*ptr = '\0';
+ 				  if (strcmp (ahost, rhost) == 0)
+ 					{
+ 					trusted = 1;
+ 					break;
+ 					}
+ 				  }
+ 				}
+ 			  if (hostf != NULL) fclose(hostf);
+ 			  if (trusted == -1)
+ 				syslog(LOG_INFO, "NETWORK %.*s@%.*s",
+ 				    NMAX,utmp.ut_name, HMAX,utmp.ut_host);
+ 			  }
+ 
+ 			/*
+ 			 * Lets see if this is a dialup or network line.
+ 			 */
+ 			if ((strcmp(type, "dialup") == 0 &&
+ 			  strcmp(pwd->pw_shell, UUCICO) != 0) ||
+ 			  (strcmp(type, "network") == 0 && trusted == -1))
+ 				{
+ 				/*
+ 				 * Check to see if an account by the name
+ 				 * of "site" exists and then if it has
+ 				 * a password.  Then we use the password
+ 				 * for that account.
+ 				 */
+ 				setpwent();
+ 				spwd = getpwnam(site);
+ 				endpwent();
+ 				if (spwd != NULL  && *spwd->pw_passwd != '\0') {
+ 					SCPYN(spass, spwd->pw_passwd);
+ 
+ 					setpriority(PRIO_PROCESS, 0, -4);
+ 					pp = getpass("Site Password:");
+ 					namep = crypt(pp, spass);
+ 					setpriority(PRIO_PROCESS, 0, 0);
+ 					if (strcmp(namep, spass))
+ 						invalid = TRUE;
+ 				}
+ 
+ 			/*see bugs in getpwent(3)*/
+ 			strncpy(lusername, utmp.ut_name, NMAX);
+ 			lusername[NMAX] = 0;
+ 			setpwent();
+ 			if ((pwd = getpwnam(lusername)) == NULL)
+ 				pwd = &nouser;
+ 			endpwent();
+ 			}
+ 		}
+ 
+ 		/*
  		 * If user not super-user, check for logins disabled.
  		 */
***************
*** 366,370 ****
  		namep++;
  	strcat(minusnam, namep);
! 	if (tty[sizeof("tty")-1] == 'd')
  		syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
  	if (pwd->pw_uid == 0)
--- 454,458 ----
  		namep++;
  	strcat(minusnam, namep);
! 	if (tty[sizeof("tty")-1] == 'd' && strcmp(pwd->pw_shell, UUCICO) != 0)
  		syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
  	if (pwd->pw_uid == 0)
-- 
Steve Grandi, National Optical Astronomy Observatories, Tucson AZ, 602-325-9228
UUCP: {arizona,decvax,ncar}!noao!grandi  or  uunet!noao.edu!grandi 
Internet: grandi@noao.edu             SPAN/HEPNET: NOAO::GRANDI (NOAO=5355)