1AXSPAWN(8) Linux System Managers Manual AXSPAWN(8)
2
3
4
6 axspawn - Allow automatic login to a Linux system.
7
9 axspawn [--pwprompt PR0MPT, -p PR0MPT] [--changeuser, -c] [--rootlogin,
10 -r] [--only-md5] [--wait, -w]
11
13 Axspawn will check if the peer is an AX.25 connect, the callsign a
14 valid Amateur Radio callsign, strip the SSID, check if UID/GID are
15 valid, allow a password-less login if the password-entry in /etc/passwd
16 is “+” or empty; in every other case login will prompt for a password.
17
18 Axspawn can create user accounts automatically. You may specify the
19 user shell, first and maximum user id, group ID in the config file and
20 (unlike WAMPES) create a file “/etc/ax25/ax25.profile” which will be
21 copied to ~/.profile.
22
24 Auto accounting is a security problem by definition. Unlike WAMPES,
25 which creates an empty password field, Axspawn adds an “impossible”
26 ('+') password to /etc/passwd. Login gets called with the “-f” option,
27 thus new users have the chance to login without a password. (I guess
28 this won't work with the shadow password system).
29
30 Of course axspawn does callsign checking: Only letters and numbers are
31 allowed, the callsign must be longer than 4 characters and shorter than
32 6 characters (without SSID). There must be at least one digit, and max.
33 two digits within the call. The SSID must be within the range of 0 and
34 15. Please drop me a note if you know a valid Amateur Radio callsign
35 that does not fit this pattern _and_ can be represented correctly in
36 AX.25.
37
38 axspawn also has the well known authentication mechanisms of the AX.25
39 bbs baycom (sys) and md5 standards. axspawn searches in
40 /etc/ax25/bcpasswd (first) and ~user/.bcpasswd (second) for a match of
41 the required authentication mechanism and password. md5 and baycom
42 passwords may differ. md5 passwords gain over baycom passwords.
43
44 Note: you could "lock" special "friends" out by specifying an empty
45 password in /etc/ax25/bcpasswd (line "n0call:md5:"). -> md5 Passwords
46 are enforced. But the length is shorter than the minimum (len 8 for
47 md5, len 20 for baycom); user's password file is not searched because
48 in /etc/ax25/bcpasswd its already found..
49
50 Syntax and caveeats for /etc/ax25/bcpasswd:
51 - Has to be a regular file (no symlink). Not world-readable/writable.
52 - Example lines:
53 # Thomas
54 dl9sau:md5:abcdefgh
55 # Test
56 te1st:sys:12345678901234567890
57 # root
58 root:md5:ziz7AoxuAt6jeuthTheexet0uDa9iefuAeph3eelAetahmi0
59 # misconfiguration:
60 thisbadlineisignored
61 # With this line
62 systempasswordonly
63 # .. axspan will not look in user's homedir for his .bcpasswd
64
65 Syntax and caveeats for user's .bcpasswd in his $HOME:
66 - Has to be a regular file (no symlink). Neither group- nor world-
67 read-/writable. Has to be owned by the user or uid 0 (root).
68 - Example lines:
69 # could be shorter
70 md5:abcdefgh
71 # should be longer
72 sys:12345678901234567890
73
74
76 -p DB0FHN or --pwprompt DB0FHN
77 While baycom or md5 password authentication (see above), the pass‐
78 word prompt is set to the first argument (DB0FHN in this example).
79 This may be needed for some packet-radio terminal programs for
80 detecting the password prompt properly.
81
82 -c, --changeuser
83 Allow connecting ax25 users to change their username for login.
84 They'll be asked for their real login name.
85
86 -e, --embedded
87 Special treatment for axspawn on non-standard conform embedded
88 devices. I.e. openwrt has no true /bin/login: if you use it as a
89 real login program, it raises a security hole.
90
91 -r, --rootlogin
92 Permit login as user root. Cave: only md5 or baycom style is
93 allowed; no plaintext password.
94
95 --only-md5
96 Insist in md5 authentication during login. If no password for the
97 user is found, or it is not md5, then no other login mechanism is
98 granted. This option, in combination with -c and -r, may be a
99 useful configuration for systems where no ax25 user accounts are
100 available, but you as sysop would like to have a login access for
101 your administrative tasks.
102
103 -w, --wait
104 Eats the first line the user sends. This feature is useful if you
105 have TCP VC connects to the same Call+SSID. It is now obsolete,
106 because ax25d is the right place for this and implements this
107 functionality better.
108
109 Theses are options and not part of the preferences because you _may_
110 like to have on every interface definition in ax25d.conf (where axspawn
111 is started from) a different behaviour.
112
114 /etc/passwd
115 /etc/ax25/ax25.profile
116 /etc/ax25/axspawn.conf
117 /etc/ax25/bcpasswd
118 ~/.bcpasswd
119
121 axspawn.conf(5), ax25d(8).
122
124 Joerg Reuter DL1BKE <jreuter@poboxes.com>
125
126
127
128Linux 25 August 1996 AXSPAWN(8)