cvmlogin
program
cvmlogin
is a replacement for the traditional
login
program, using a
CVM module for
authentication. It is not a drop-in replacement; it
has an incompatible interface, so it can not necessarily be used with
traditional getty programs. It does not accept a username on the
command line, and it does no utmp/wtmp accounting.
cvmlogin
is probably not very useful except on consoles
(and perhaps pseudoterminals) due to the absence of a compatible getty
replacement to handle terminal initialization.
cvmlogin [command arg ...]
cvmlogin
prompts for a username and password on stdout,
reads them from stdin, and logs the attempt (including the terminal as
specified by $TTY
) to stderr. It authenticates via the
CVM module specified by $CVM_PLAIN
. If the
authentication is successful, it forks and runs the given command,
with stderr replaced by a duplicate of stdout. If no command is
given, the default (as of version 2001.06.08) is
setstate lofgGuh
loginshell
.
cvmlogin
waits for the child to exit, logs the
termination, and then exits.
The prompt for the username can be set in $PROMPT_LOGIN
,
and defaults to "login:
". The prompt for
the password can be set in $PROMPT_PASSWORD
, and defaults
to "Password:
". cvmlogin
sets these environment variables for the child process:
USER
- the user's account name.
UID
- the user's user ID.
GID
- the user's primary group ID.
GROUPS
- the user's supplementary groups, each
preceded by a space (including the first). If
$INCLUDE_GID
is set, cvmlogin
will
include the primary group ID in $GROUPS
. (The
standard modules in current version of CVM already do this, so
this feature is not useful with those modules.) If
$EXTRA_GROUPS
is set, its value is taken to be a
similarly-formatted list of groups IDs which cvmlogin
will include in $GROUPS
. (So, e.g., users logging in
on the console can be in a "console" group which has
access to floppy/CDROM drives, etc., while they would not have
such access when logging in over the network.)
NAME
- the user's real name.
HOME
- the user's home directory.
SHELL
- the user's login shell.
Some of the above variables, including UID
are
automatically set by bash
; any inherited value set by
cvmlogin
is lost. Do not configure
cvmlogin
to run a script interpreted by bash
- any successful login will gain root privileges.
You can run a supervised console login service with a run script like this:
# cd /service/console-login # grep ^ env/* env/CVM_PLAIN:/command/cvm-unix env/TERM:linux env/TTY:/dev/tty1 # cat run #!/bin/sh -e exec 2>&1 exec \ setsid \ envdir ./env \ sh -ec ' exec < "$TTY" exec > "$TTY" reset 2>&1 clear 2>&1 exec \ envdir ./env \ cvmlogin'
The extra envdir
invocation is there to remove
environment variables automatically set by namespace-invading sh
interpreters like bash. For reset
and clear
to work, $TERM
must be set.
After installing the ucspi-tcp and ptyget packages, you can almost run a telnet-option-less telnet service like this:
tcpserver 0 23 ptyrun -2 cvmlogin
However, this doesn't handle environment variable transmission, etc.,
so $TERM
and such will have to be set manually. Also, it
seems impossible to turn off echoing on the remote pseudoterminal.