AXSPAWN.CONF(5) Linux Programmer's Manual AXSPAWN.CONF(5)NAME
axspawn.conf - Control the operation of axspawn.
DESCRIPTION
The axspawn.conf file controls the operation of the axspawn(8) program. The operation of the config file can best be seen in an example:
# this is /etc/ax25/axspawn.conf
#
# allow automatic creation of user accounts
create yes
# allow empty password field (so user may login via telnet, too) [default no]
create_empty_password no
#create_empty_password yes
# create with system utility useradd(8)? [default no]
#create_with_useradd no
create_with_useradd yes
#
# pwcheck method: password or call or group. [default: password]
#pwcheck call
#pwcheck group
pwcheck password
#
# guest user if above is 'no' or everything else
# fails. Disable with "no"
guest guest
#
# group id or name for autoaccount
group hams
#
# first user id to use
first_uid 400
#
# maximum user id
max_uid 2000
#
# where to add the home directory for the new user
home /home/hams
#
# secure homedirectories (g-rwx)
#secure_home yes
#
# user's shell
shell /bin/bash
#
# bind user id to callsign for outgoing connects.
associate yes
The "associate" option has to be used with great care. If a user logs on it removes any existing callsign from the translation table for
this userid and replaces it with the callsign and SSID of the user. This will happen with multiple connects (same callsign, different
SSIDs), too. Unless you want your users to be able to call out from your machine disable "associate".
FILES
/etc/ax25/axspawn.conf
SEE ALSO axspawn(8).
Linux 2 August 1996 AXSPAWN.CONF(5)
Check Out this Related Man Page
AXSPAWN(8) Linux System Managers Manual AXSPAWN(8)NAME
axspawn - Allow automatic login to a Linux system.
SYNOPSIS
axspawn [--pwprompt PR0MPT, -p PR0MPT] [--changeuser, -c] [--rootlogin, -r] [--only-md5] [--wait, -w]
DESCRIPTION
Axspawn will check if the peer is an AX.25 connect, the callsign a valid Amateur Radio callsign, strip the SSID, check if UID/GID are
valid, allow a password-less login if the password-entry in /etc/passwd is "+" or empty; in every other case login will prompt for a pass-
word.
Axspawn can create user accounts automatically. You may specify the user shell, first and maximum user id, group ID in the config file and
(unlike WAMPES) create a file "/etc/ax25/ax25.profile" which will be copied to ~/.profile.
SECURITY
Auto accounting is a security problem by definition. Unlike WAMPES, which creates an empty password field, Axspawn adds an "impossible"
('+') password to /etc/passwd. Login gets called with the "-f" option, thus new users have the chance to login without a password. (I guess
this won't work with the shadow password system).
Of course axspawn does callsign checking: Only letters and numbers are allowed, the callsign must be longer than 4 characters and shorter
than 6 characters (without SSID). There must be at least one digit, and max. two digits within the call. The SSID must be within the range
of 0 and 15. Please drop me a note if you know a valid Amateur Radio callsign that does not fit this pattern _and_ can be represented cor-
rectly in AX.25.
axspawn also has the well known authentication mechanisms of the AX.25 bbs baycom (sys) and md5 standards. axspawn searches in
/etc/ax25/bcpasswd (first) and ~user/.bcpasswd (second) for a match of the required authentication mechanism and password. md5 and baycom
passwords may differ. md5 passwords gain over baycom passwords.
Note: you could "lock" special "friends" out by specifying an empty password in /etc/ax25/bcpasswd (line "n0call:md5:"). -> md5 Passwords
are enforced. But the length is shorter than the minimum (len 8 for md5, len 20 for baycom); user's password file is not searched because
in /etc/ax25/bcpasswd its already found..
Syntax and caveeats for /etc/ax25/bcpasswd:
- Has to be a regular file (no symlink). Not world-readable/writable.
- Example lines:
# Thomas
dl9sau:md5:abcdefgh
# Test
te1st:sys:12345678901234567890
# root
root:md5:ziz7AoxuAt6jeuthTheexet0uDa9iefuAeph3eelAetahmi0
# misconfiguration:
thisbadlineisignored
# With this line
systempasswordonly
# .. axspan will not look in user's homedir for his .bcpasswd
Syntax and caveeats for user's .bcpasswd in his $HOME:
- Has to be a regular file (no symlink). Neither group- nor world-
read-/writable. Has to be owned by the user or uid 0 (root).
- Example lines:
# could be shorter
md5:abcdefgh
# should be longer
sys:12345678901234567890
OPTIONS -p DB0FHN or --pwprompt DB0FHN
While baycom or md5 password authentication (see above), the password prompt is set to the first argument (DB0FHN in this example).
This may be needed for some packet-radio terminal programs for detecting the password prompt properly.
-c, --changeuser
Allow connecting ax25 users to change their username for login. They'll be asked for their real login name.
-e, --embedded
Special treatment for axspawn on non-standard conform embedded devices. I.e. openwrt has no true /bin/login: if you use it as a real
login program, it raises a security hole.
-r, --rootlogin
Permit login as user root. Cave: only md5 or baycom style is allowed; no plaintext password.
--only-md5
Insist in md5 authentication during login. If no password for the user is found, or it is not md5, then no other login mechanism is
granted. This option, in combination with -c and -r, may be a useful configuration for systems where no ax25 user accounts are avail-
able, but you as sysop would like to have a login access for your administrative tasks.
-w, --wait
Eats the first line the user sends. This feature is useful if you have TCP VC connects to the same Call+SSID. It is now obsolete,
because ax25d is the right place for this and implements this functionality better.
Theses are options and not part of the preferences because you _may_ like to have on every interface definition in ax25d.conf (where axs-
pawn is started from) a different behaviour.
FILES
/etc/passwd
/etc/ax25/ax25.profile
/etc/ax25/axspawn.conf
/etc/ax25/bcpasswd
~/.bcpasswd
SEE ALSO axspawn.conf(5), ax25d(8).
AUTHOR
Joerg Reuter DL1BKE <jreuter@poboxes.com>
Linux 25 August 1996 AXSPAWN(8)