Jim McCloskey wrote: > > Can I ask for some advice? > > We've just set up two Slink machines in a graduate student lab. They > have ethernet connections; there is no firewall. Some of the students > want to do all their work in a regular way on these machines and those > students have user accounts. But a number just want to be able to > telnet or ssh to another machine quickly and check email. > > Is there a safe way to set up a `guest' user-account with a publicly > known password? > > Jim
I really *really* recommend that each user have their own password. I've run student machines and believe me, you will want to be able to account for who was on the machine at time X when, inevitably, you run into a cracker wannabee script monkey. Another problem you'll run in to is that people will give their friends the guest password so they can telnet/ssh as well, and your control over who gets to use the machines is gone. You also need to consider that when you need to change the guest password because some people have left or it inevitably leaks into the wrong hands, it's going to be a major hassle. That said, look into setting up a chroot jail for the guest account. You are *much* better off just creating accounts for everyone. Just make the profs you're supporting turn in a class roll at the beginning of the semester and then generating the accounts in one big batch. here's the code I used to use - yes, it's ugly as hell, but it was one of the first perl scripts I ever wrote when I first started administering solaris. Note that it creates tmp-pass and tmp-homes that are ready to include in your nis maps - I'm too neurotic to let a script modify those files in place. You may need to tinker with the script a little - I sanitized it by removing some site specific information and may have inadvertantly broken it. -- cut here -- #!/usr/bin/perl # # by [EMAIL PROTECTED] # # If this breaks your system, you get to keep the pieces. You did back # up your passwd and auto.home map files before running this, right? # # Command Line Options: # -f user's full name # -a account # -u uid # -g gid # -s shell # -h home directory prefix # -p user password # -d debug mode # require "getopt.pl"; &main; sub main { $opt_h = "/export/home0"; $opt_u = 9999; $opt_g = 20; $opt_a = "account"; $opt_p = "password"; $opt_s = "/bin/bash"; $opt_f = "Full Name"; &Getopt('faughdsp'); $homes=$opt_h; $uid=$opt_u; $gid=$opt_g; $login=$opt_a; $shell=$opt_s; $password=$opt_p; $fullname=$opt_f; $homedir="$homes/$login"; $debug = 0; srand; # needs to be done only once. $salt = &compute_salt(0); # change to compute_salt(1) for new crypt() $hash = crypt($password, $salt); if ($debug >30 ) { print "h = $opt_h\n"; print "u = $opt_u\n"; print "g = $opt_g\n"; print "a = $opt_a\n"; print "p = $opt_p\n"; print "s = $opt_s\n"; print "f = $opt_f\n"; } open (PASSWD, ">>tmp-pass") || die "Can't open tmp-pass!"; print PASSWD "$login:$hash:$uid:$gid:$fullname,,,,,,,:/home/$login:$shell\n"; open (HOMES, ">>tmp-homes") || die "Can't open tmp-homes!"; print HOMES "$login\tnemesis:$homedir\n"; } exit(0); # All this password code is copied from apache's dbmmanage script, I forget which version. # if $newstyle is 1, then use new style salt (starts with '_' and contains # four bytes of iteration count and four bytes of salt). Otherwise, just use # the traditional two-byte salt. # see the man page on your system to decide if you have a newer crypt() lib. # I believe that 4.4BSD derived systems do (at least BSD/OS 2.0 does). # The new style crypt() allows up to 20 characters of the password to be # significant rather than only 8. sub compute_salt { local($newstyle) = @_; local($salt); if ($newstyle) { $salt = "_" . &randchar(1) . "a.." . &randchar(4); } else { $salt = &randchar(2); } $salt; } # return $count random characters sub randchar { local($count) = @_; local($str) = ""; local($enc) = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; while ($count--) { # 64 = length($enc) in call to rand() below $str .= substr($enc,int(rand(64)),1); } $str; } -- cut here -- jpb -- Joe Block <[EMAIL PROTECTED]> CREOL System Administrator Social graces are the packet headers of everyday life.