cvmlogin program
cvmlogin is a replacement for the traditional
login program, using a
CVM module for
authentication. It is not a drop-in replacement; it
has an incompatible interface, so it can not necessarily be used with
traditional getty programs. It does not accept a username on the
command line, and it does no utmp/wtmp accounting.
cvmlogin is probably not very useful except on consoles
(and perhaps pseudoterminals) due to the absence of a compatible getty
replacement to handle terminal initialization.
cvmlogin [command arg ...]
cvmlogin prompts for a username and password on stdout,
reads them from stdin, and logs the attempt (including the terminal as
specified by $TTY) to stderr. It authenticates via the
CVM module specified by $CVM_PLAIN. If the
authentication is successful, it forks and runs the given command,
with stderr replaced by a duplicate of stdout. If no command is
given, the default (as of version 2001.06.08) is
setstate lofgGuh
loginshell.
cvmlogin waits for the child to exit, logs the
termination, and then exits.
The prompt for the username can be set in $PROMPT_LOGIN,
and defaults to "login: ". The prompt for
the password can be set in $PROMPT_PASSWORD, and defaults
to "Password: ". cvmlogin
sets these environment variables for the child process:
USER - the user's account name.
UID - the user's user ID.
GID - the user's primary group ID.
GROUPS - the user's supplementary groups, each
preceded by a space (including the first). If
$INCLUDE_GID is set, cvmlogin will
include the primary group ID in $GROUPS. (The
standard modules in current version of CVM already do this, so
this feature is not useful with those modules.) If
$EXTRA_GROUPS is set, its value is taken to be a
similarly-formatted list of groups IDs which cvmlogin
will include in $GROUPS. (So, e.g., users logging in
on the console can be in a "console" group which has
access to floppy/CDROM drives, etc., while they would not have
such access when logging in over the network.)
NAME - the user's real name.
HOME - the user's home directory.
SHELL - the user's login shell.
Some of the above variables, including UID are
automatically set by bash; any inherited value set by
cvmlogin is lost. Do not configure
cvmlogin to run a script interpreted by bash
- any successful login will gain root privileges.
You can run a supervised console login service with a run script like this:
# cd /service/console-login # grep ^ env/* env/CVM_PLAIN:/command/cvm-unix env/TERM:linux env/TTY:/dev/tty1 # cat run #!/bin/sh -e exec 2>&1 exec \ setsid \ envdir ./env \ sh -ec ' exec < "$TTY" exec > "$TTY" reset 2>&1 clear 2>&1 exec \ envdir ./env \ cvmlogin'
The extra envdir invocation is there to remove
environment variables automatically set by namespace-invading sh
interpreters like bash. For reset and clear
to work, $TERM must be set.
After installing the ucspi-tcp and ptyget packages, you can almost run a telnet-option-less telnet service like this:
tcpserver 0 23 ptyrun -2 cvmlogin
However, this doesn't handle environment variable transmission, etc.,
so $TERM and such will have to be set manually. Also, it
seems impossible to turn off echoing on the remote pseudoterminal.