1AXSPAWN(8)               Linux System Managers Manual               AXSPAWN(8)
2
3
4

NAME

6       axspawn - Allow automatic login to a Linux system.
7

SYNOPSIS

9       axspawn [--pwprompt PR0MPT, -p PR0MPT] [--changeuser, -c] [--rootlogin,
10       -r] [--only-md5] [--wait, -w]
11

DESCRIPTION

13       Axspawn will check if the peer is an  AX.25  connect,  the  callsign  a
14       valid  Amateur  Radio  callsign,  strip  the SSID, check if UID/GID are
15       valid, allow a password-less login if the password-entry in /etc/passwd
16       is “+” or empty; in every other case login will prompt for a password.
17
18       Axspawn  can  create  user  accounts automatically. You may specify the
19       user shell, first and maximum user id, group ID in the config file  and
20       (unlike  WAMPES)  create  a file “/etc/ax25/ax25.profile” which will be
21       copied to ~/.profile.
22

SECURITY

24       Auto accounting is a security problem  by  definition.  Unlike  WAMPES,
25       which  creates  an  empty  password field, Axspawn adds an “impossible”
26       ('+') password to /etc/passwd. Login gets called with the “-f”  option,
27       thus  new  users  have the chance to login without a password. (I guess
28       this won't work with the shadow password system).
29
30       Of course axspawn does callsign checking: Only letters and numbers  are
31       allowed, the callsign must be longer than 4 characters and shorter than
32       6 characters (without SSID). There must be at least one digit, and max.
33       two  digits within the call. The SSID must be within the range of 0 and
34       15. Please drop me a note if you know a valid  Amateur  Radio  callsign
35       that  does  not  fit this pattern _and_ can be represented correctly in
36       AX.25.
37
38       axspawn also has the well known authentication mechanisms of the  AX.25
39       bbs   baycom   (sys)   and   md5   standards.    axspawn   searches  in
40       /etc/ax25/bcpasswd (first) and ~user/.bcpasswd (second) for a match  of
41       the  required  authentication  mechanism  and password.  md5 and baycom
42       passwords may differ. md5 passwords gain over baycom passwords.
43
44       Note: you could "lock" special "friends" out  by  specifying  an  empty
45       password  in  /etc/ax25/bcpasswd (line "n0call:md5:"). -> md5 Passwords
46       are enforced. But the length is shorter than the  minimum  (len  8  for
47       md5,  len  20 for baycom); user's password file is not searched because
48       in /etc/ax25/bcpasswd its already found..
49
50       Syntax and caveeats for /etc/ax25/bcpasswd:
51         - Has to be a regular file (no symlink). Not world-readable/writable.
52         - Example lines:
53           # Thomas
54           dl9sau:md5:abcdefgh
55           # Test
56           te1st:sys:12345678901234567890
57           # root
58           root:md5:ziz7AoxuAt6jeuthTheexet0uDa9iefuAeph3eelAetahmi0
59           # misconfiguration:
60           thisbadlineisignored
61           # With this line
62           systempasswordonly
63           # .. axspan will not look in user's homedir for his .bcpasswd
64
65       Syntax and caveeats for user's .bcpasswd in his $HOME:
66         - Has to be a regular file (no symlink). Neither group- nor world-
67             read-/writable. Has to be owned by the user or uid 0 (root).
68         - Example lines:
69           # could be shorter
70           md5:abcdefgh
71           # should be longer
72           sys:12345678901234567890
73
74

OPTIONS

76       -p DB0FHN or --pwprompt DB0FHN
77            While baycom or md5 password authentication (see above), the pass‐
78            word prompt is set to the first argument (DB0FHN in this example).
79            This may be needed for some  packet-radio  terminal  programs  for
80            detecting the password prompt properly.
81
82       -c, --changeuser
83            Allow  connecting  ax25  users to change their username for login.
84            They'll be asked for their real login name.
85
86       -e, --embedded
87            Special treatment for axspawn  on  non-standard  conform  embedded
88            devices.   I.e. openwrt has no true /bin/login: if you use it as a
89            real login program, it raises a security hole.
90
91       -r, --rootlogin
92            Permit login as user root. Cave:  only  md5  or  baycom  style  is
93            allowed; no plaintext password.
94
95       --only-md5
96            Insist  in md5 authentication during login. If no password for the
97            user is found, or it is not md5, then no other login mechanism  is
98            granted.   This  option,  in  combination with -c and -r, may be a
99            useful configuration for systems where no ax25 user  accounts  are
100            available,  but you as sysop would like to have a login access for
101            your administrative tasks.
102
103       -w, --wait
104            Eats the first line the user sends. This feature is useful if  you
105            have  TCP  VC  connects to the same Call+SSID. It is now obsolete,
106            because ax25d is the right place  for  this  and  implements  this
107            functionality better.
108
109       Theses  are  options  and not part of the preferences because you _may_
110       like to have on every interface definition in ax25d.conf (where axspawn
111       is started from) a different behaviour.
112

FILES

114       /etc/passwd
115       /etc/ax25/ax25.profile
116       /etc/ax25/axspawn.conf
117       /etc/ax25/bcpasswd
118       ~/.bcpasswd
119

SEE ALSO

121       axspawn.conf(5), ax25d(8).
122

AUTHOR

124       Joerg Reuter DL1BKE <jreuter@poboxes.com>
125
126
127
128Linux                           25 August 1996                      AXSPAWN(8)
Impressum