Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!romp!auschs!d75!awdprime!greenber.austin.ibm.com!jfh From: jfh@greenber.austin.ibm.com (John F Haugh II) Newsgroups: comp.unix.aix Subject: Re: Replacing /bin/login under AIX 3.1 Message-ID: <4926@awdprime.UUCP> Date: 22 Jan 91 22:41:10 GMT References: <9T4^9=-@rpi.edu> Sender: news@awdprime.UUCP Organization: Obfuscated Features "R" Us, LCC Austin Lines: 39 In article <9T4^9=-@rpi.edu> todd@narnia.ecs.rpi.edu (R. Lindsay Todd) writes: >Now, /etc/security/login.cfg and /etc/security/user seems to have some >hooks for providing alternative authentication methods. However, my >CD-ROM wears a bit thin in this area. Has anyone successfully used >these hooks to provide an alternative login mechanism? The /etc/security/user file contains two fields, auth1 and auth2, which can be used to configure the authentication process very finely. The default "auth1" value is "SYSTEM", which is a built-in method which performs the usual "prompt for Password: and compare against encrypted version" authentication. If you replace "auth1 = SYSTEM" with something like "auth1 = KERBEROS" you will have to add a "KERBEROS" stanza to /etc/security/login.cfg. For this example, assume a program "/etc/kerberos_auth" which takes a user ID as an argument, does some processing based on that argument, and exits with zero for success, and non-zero otherwise. Assume that the user "bob" exists and will be authenticated using the built-in method as well as the "KERBEROS" method. Start by changing bob's "auth1" attribute with the command "chuser auth1=SYSTEM,KERBEROS bob". Then manually edit the /etc/security/login.cfg adding the stanza -- KERBEROS: program = /etc/kerberos_auth -- After bob enters his password, the second program will be executed as "/etc/kerberos_auth bob". It is us to that program to get the Kerberos tickets, etc, and exit with 0 if the user is properly authenticated, and non-zero otherwise. -- John F. Haugh II | I've Been Moved | MaBellNet: (512) 838-4340 SneakerNet: 809/1D064 | AGAIN ! | VNET: LCCB386 at AUSVMQ BangNet: ..!cs.utexas.edu!ibmchs!auschs!snowball.austin.ibm.com!jfh (e-i-e-i-o)