The cvmlogin program

cvmlogin is a replacement for the traditional login program, using a CVM module for authentication. It is not a drop-in replacement; it has an incompatible interface, so it can not necessarily be used with traditional getty programs. It does not accept a username on the command line, and it does no utmp/wtmp accounting.

cvmlogin is probably not very useful except on consoles (and perhaps pseudoterminals) due to the absence of a compatible getty replacement to handle terminal initialization.

cvmlogin [command arg ...]

cvmlogin prompts for a username and password on stdout, reads them from stdin, and logs the attempt (including the terminal as specified by $TTY) to stderr. It authenticates via the CVM module specified by $CVM_PLAIN. If the authentication is successful, it forks and runs the given command, with stderr replaced by a duplicate of stdout. If no command is given, the default (as of version 2001.06.08) is setstate lofgGuh loginshell. cvmlogin waits for the child to exit, logs the termination, and then exits.

The prompt for the username can be set in $PROMPT_LOGIN, and defaults to "login: ". The prompt for the password can be set in $PROMPT_PASSWORD, and defaults to "Password: ". cvmlogin sets these environment variables for the child process:

Some of the above variables, including UID are automatically set by bash; any inherited value set by cvmlogin is lost. Do not configure cvmlogin to run a script interpreted by bash - any successful login will gain root privileges.

You can run a supervised console login service with a run script like this:

# cd /service/console-login
# grep ^ env/*
# cat run
#!/bin/sh -e
exec 2>&1
exec \
setsid \
envdir ./env \
sh -ec '
exec < "$TTY"
exec > "$TTY"
reset 2>&1
clear 2>&1
exec \
envdir ./env \

The extra envdir invocation is there to remove environment variables automatically set by namespace-invading sh interpreters like bash. For reset and clear to work, $TERM must be set.

After installing the ucspi-tcp and ptyget packages, you can almost run a telnet-option-less telnet service like this:

tcpserver 0 23 ptyrun -2 cvmlogin

However, this doesn't handle environment variable transmission, etc., so $TERM and such will have to be set manually. Also, it seems impossible to turn off echoing on the remote pseudoterminal.