Regarding my query concerning the requirement for a login confirmation question to be answered, thanks a lot to the following for useful hints:
Frank Wortner,
Derk Tegeler,
Sean Markley,
James Sainsbury
Frank's suggestion (immediately below), is the way I will go, but the information from James was so detailed that I thought it worth including.
>Also, I require
> that this message is not displayed when issuing su -, which rules out any
/etc/profile entry I think.
I think not. ;-)
WHO_AM_I=`who am i | awk '{ print $1}'` # who is logged in on this tty
WHOAMI=`whoami` # the effective UID of this session
#
# If WHOAMI and WHO_AM_I are the same, then this session is the result of a
login.
# If they differ, this session is the result of a "su".
#
if [ $WHOAMI = $WHO_AM_I ]
then
cat /user/discipline/message
echo -n "Do you agree? Please type yes or no."
read REPLY
if [ $REPLY != "yes" ]
then
echo "Sorry, you must agree to these terms."
exit 1
fi
fi
Hope this helps.
Frank
----------------------------------------
How about replacing telnetd with a wrapper that displays the warning
and asks for confirmation and exec(2)s /usr/sbin/telnetd?
eg
inetd.conf:
telnet stream tcp nowait root /sbin/opt/askremoted telnetd
login stream tcp nowait root /sbin/opt/askremoted rlogind
OR for tcpwrappers
inetd.conf:
telnet stream tcp nowait root /usr/sbin/tcpd telnetd
telnet stream tcp nowait root /usr/sbin/tcpd rlogind
hosts.allow:
telnetd: ALL_at_172.16.76.0/255.255.255.0: twist /sbin/opt/askremoted telnetd
rlogind: ALL_at_172.16.76.0/255.255.255.0: twist /sbin/opt/askremoted rlogind
askremoted.c:
main (int argc, char* argv[]) { /* skeleton : NOTE runs as root! */
setsignals(); /* whatever behaviour required */
setterminal(); /* probably nil */
display_message("/etc/issue");
if (ask_for_confirmation() == YES ) { /*CAREFUL buffer overflows*/
if (strcmp (argv[0], "telnetd") {
execl("/usr/sbin/telnetd","telnetd",(char*) 0);
exit (EXIT_FAILURE);
}
else if (strcmp (argv[0], "rlogind") {
...etc
}
else .../* ftpd etc */
}
exit (EXIT_SUCCESS);
}
NOTE: you may wish to sanitize the environment and pass further args to
the daemon by using execle(2) or execve(2) instead of execl(2).
RGDS
On second thoughts wrapping telnetd etc won't work :(
telnet and telnetd negotiate various things and trying to
elicit input from the user will only stuff it.
Sorry.
I thought about replacing login with a script and tried it quickly
and it seems to work with telnet. Note this BASE not C2 security .
(I would try using the login from the tcpdaemon package as a starting point
and modifying that.)
eg
cd /bin; mv login login.bin
cp login.sh /bin/login
chmod 555 /bin/login
chown root:system /bin/login
where login.sh is:
#! /sbin/sh
PATH="/sbin:/bin"
export PATH
trap exit 1 2 3 15
LOGINBIN="/bin/login.bin"
MESSAGE="/etc/remote-issue"
CONFIRM="Do you agree? Y/N: "
if [ -f "$MESSAGE" ]
then
cat "$MESSAGE"
else
exec $LOGINBIN $*
fi
echo -n "$CONFIRM"
while read resp junk
do
case "$resp" in
[Yy]|[Yy]es|YES)
exec $LOGINBIN $*
;;
[Nn]*)
exit 2
;;
*)
echo -n "$CONFIRM"
;;
esac
done
exit 2
------------------------------------------------
Cheers
Neil
Received on Tue Mar 27 2001 - 07:09:29 NZST