Jim McCloskey wrote:
>
> Can I ask for some advice?
>
> We've just set up two Slink machines in a graduate student lab. They
> have ethernet connections; there is no firewall. Some of the students
> want to do all their work in a regular way on these machines and those
> students have user accounts. But a number just want to be able to
> telnet or ssh to another machine quickly and check email.
>
> Is there a safe way to set up a `guest' user-account with a publicly
> known password?
>
> Jim
I really *really* recommend that each user have their own password.
I've run student machines and believe me, you will want to be able to
account for who was on the machine at time X when, inevitably, you run
into a cracker wannabee script monkey.
Another problem you'll run in to is that people will give their friends
the guest password so they can telnet/ssh as well, and your control over
who gets to use the machines is gone. You also need to consider that
when you need to change the guest password because some people have left
or it inevitably leaks into the wrong hands, it's going to be a major
hassle.
That said, look into setting up a chroot jail for the guest account.
You are *much* better off just creating accounts for everyone. Just
make the profs you're supporting turn in a class roll at the beginning
of the semester and then generating the accounts in one big batch.
here's the code I used to use - yes, it's ugly as hell, but it was one
of the first perl scripts I ever wrote when I first started
administering solaris.
Note that it creates tmp-pass and tmp-homes that are ready to include in
your nis maps - I'm too neurotic to let a script modify those files in
place.
You may need to tinker with the script a little - I sanitized it by
removing some site specific information and may have inadvertantly
broken it.
-- cut here --
#!/usr/bin/perl
#
# by [EMAIL PROTECTED]
#
# If this breaks your system, you get to keep the pieces. You did back
# up your passwd and auto.home map files before running this, right?
#
# Command Line Options:
# -f user's full name
# -a account
# -u uid
# -g gid
# -s shell
# -h home directory prefix
# -p user password
# -d debug mode
#
require "getopt.pl";
&main;
sub main
{
$opt_h = "/export/home0";
$opt_u = 9999;
$opt_g = 20;
$opt_a = "account";
$opt_p = "password";
$opt_s = "/bin/bash";
$opt_f = "Full Name";
&Getopt('faughdsp');
$homes=$opt_h;
$uid=$opt_u;
$gid=$opt_g;
$login=$opt_a;
$shell=$opt_s;
$password=$opt_p;
$fullname=$opt_f;
$homedir="$homes/$login";
$debug = 0;
srand;
# needs to be done only once.
$salt = &compute_salt(0);
# change to compute_salt(1) for new crypt()
$hash = crypt($password, $salt);
if ($debug >30 )
{
print "h = $opt_h\n";
print "u = $opt_u\n";
print "g = $opt_g\n";
print "a = $opt_a\n";
print "p = $opt_p\n";
print "s = $opt_s\n";
print "f = $opt_f\n";
}
open (PASSWD, ">>tmp-pass") || die "Can't open tmp-pass!";
print PASSWD
"$login:$hash:$uid:$gid:$fullname,,,,,,,:/home/$login:$shell\n";
open (HOMES, ">>tmp-homes") || die "Can't open tmp-homes!";
print HOMES "$login\tnemesis:$homedir\n";
}
exit(0);
# All this password code is copied from apache's dbmmanage script, I
forget which version.
# if $newstyle is 1, then use new style salt (starts with '_' and
contains
# four bytes of iteration count and four bytes of salt). Otherwise,
just use
# the traditional two-byte salt.
# see the man page on your system to decide if you have a newer crypt()
lib.
# I believe that 4.4BSD derived systems do (at least BSD/OS 2.0 does).
# The new style crypt() allows up to 20 characters of the password to be
# significant rather than only 8.
sub compute_salt {
local($newstyle) = @_;
local($salt);
if ($newstyle) {
$salt = "_" . &randchar(1) . "a.." . &randchar(4);
} else {
$salt = &randchar(2);
}
$salt;
}
# return $count random characters
sub randchar {
local($count) = @_;
local($str) = "";
local($enc) =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
while ($count--) {
# 64 = length($enc) in call to rand() below
$str .= substr($enc,int(rand(64)),1);
}
$str;
}
-- cut here --
jpb
--
Joe Block <[EMAIL PROTECTED]>
CREOL System Administrator
Social graces are the packet headers of everyday life.
