WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

There is a serious error in my S/Key support code that appears in
releases 3.2 and 3.3 of the logdaemon utilities. Please delete all
copies of the 3.2 and 3.3 releases that are in your possession.

Last update: Sun Oct 2 1994 for logdaemon release 4.4. 
A brief change log can be found at the end of this document.

Introduction:
=============

This archive contains the result of years of gradual transformations on
BSD source.  The code works with SunOS 4, SunOS 5 (Solaris), Ultrix 4.x
and other BSD/SYSV4 clones. Some code may also work with HP-UX 9.0.

(1) rsh and rlogin daemons that log the remote username and perform
    logging and access control in tcp/ip wrapper style.  By default
    these daemons do not accept wildcards in hosts.equiv or .rhosts
    files. Both daemons have an '-l' option to disable user .rhosts
    files.

(2) ftpd, rexecd and login software with fascist login failure logging
    and with optional support for S/Key one-time passwords.  The rexecd
    daemon disallows root logins, once my favourite backdoor.  The
    support for S/Key one-time passwords is optional, and completely
    invisible to users that do not need it. UNIX passwords are still
    permitted by default. A short description of how to use S/Key can
    be found in the skey subdirectory. Binaries for DOS and other
    systems can be found on thumper.bellcore.com.

(3) an S/Key login shell for sites that cannot replace the login
    program. Users first log into a password-less dummy account. The
    S/Key login shell prompts for their real account name and presents
    the corresponding S/Key challenge.

The S/Key support uses the MD4 or MD5 hash function. The mode (MD4 by
default, for backwards compatibility) is selected in skey/Makefile.

Some of the programs need the libwrap.a library that comes with recent
(version >= 6) tcp/ip daemon wrapper (log_tcp) implementations.  In
order to build, you will have to do a

	setenv LOG_TCP directory_with_the_libwrap.a_library

Contents per directory:
=======================

rlogind logging and access control in tcp wrapper style.  Regular
	access is logged (by default) with priority daemon.info.
	Rejected access is logged with daemon.warn or more urgent.
	SunOS 4.x, SunOS 5.x and Ultrix 4.x. In order to use the "-l"
	(ignore user .rhosts files) option you will also need to
	install the login clone (see below). May work with HP-UX 9.0

rshd    logging and access control in tcp wrapper style.  Regular
	access is logged (by default) with priority daemon.info.
	Rejected access is logged with daemon.warn or more urgent.
	SunOS 4.x, SunOS 5.x and Ultrix 4.x. May work with HP-UX 9.0

login   hacked for SunOS 4.x, SunOS 5.x, with optional access control
	per (user,host) or per (user, tty); fbtab(5) security; fascist
	login failure logging.  Regular logins are logged with priority
	auth.info, unusual or rejected logins with auth.notice. S/Key
	support. Can also be used with Ultrix 4.x for logins on
	non-graphics consoles. Appears to work with HP-UX 9.0.

rexecd  Regular access is logged with priority daemon.info.  Fascist
	login failure logging.  Rejected access is logged with
	auth.warn or more urgent. Access to the root account is
	prohibited.  S/Key support. Tested with SunOS 4.x, SunOS 5.x.
	Should also work with Ultrix. May work with HP-UX 9.0

ftpd    ftp daemon with fascist logging and login failure detection
	much like the login clone. Also logs anonymous ftp transfers.
	Tested with SunOS [45].  S/Key support. Should also work with
	Ultrix 4.x. May work with HP-UX 9.0

telnetd pretty dumb BSD 4.3 telnetd. No access control or logging,
	but compatible with SunOS 4.x, Ultrix 4.x, SunOS 5.x. May work
	with HP-UX 9.0.

keysu   NET/2 BSD su command ported back to SunOS 4.x, with S/Key
	support. Tested with FreeBSD and SunOS 4.1.3. May work with
	HP-UX 9.0.

skeysh  An S/key login shell for sites that cannot replace the login
	program. The solution is to create a dummy account with skeysh
	as the login shell. skeysh is nothing but a stripped-down
	skey-only login program.  People first log into the dummy
	account. This drops them into skeysh that prompts them for
	their real account name and presents the corresponding S/Key
	challenge.  Tested with SunOS 4.1.3 and with Solaris 2.3.
	Should work anywhere the login clone works.

lib     additional routines used by login and by some daemons.
	Includes the ruserok() function that understands NIS, NFS
	(yuck) and that optionally skips user .rhosts files.

skey    Portions of S/Key source from thumper.bellcore.com, plus
	that I hacked together myself. All bugs are my own. Edit
	the Makefile to choose between the MD4 or MD5 secure hash
	function. MD4 is default, for backwards compatibility.

The README* files in the respective subdirectories give more details.

Please report any problems to:

	Wietse Venema (wietse@wzv.win.tue.nl)
	Eindhoven University of Technology
	Eindhoven, The Netherlands

Change log:
===========

901218	Fixed a problem with NOFLSH in login.c that caused interrupts
	to not flush the terminal input queue.

910209	Added per-user login access control.

911128	Added support to login for SunOS 4.x style /etc/fbtab, a table 
	of devices whose protection and ownership is to be adjusted
	when a user logs in.

920609	Added tcp wrapper (log_tcp) style access control to rlogind and
	rshd. Improved the remote host name verification code. Added the
	LD_xxx environment fix to login.

920624	Login no longer just dies when the connection is broken, but first
	reports a login failure. This exposes an old cracker's trick.

921029	Ported to Ultrix 4.2. Most of the work was finding out why the
	login process did not have a controlling terminal.

921208	Ported to Solaris 2.0. rlogind can now work with the /bin/login 
	that comes with most UNIXes. This was desirable because not
	everyone is in a position to replace /bin/login.  Moreover,
	some SYSV logins can't even support the '-f' option at all (or
	everyone could login without a password). 2alpha version released.

921229	Tested with Solaris 2.1; some cleanups after looking at modified
	4.4BSD sources from Charles Hedrick (hedrick@cs.rutgers.edu).
	The sources can be found on farside.rutgers.edu.

930103	Most of the sensible SYSV login features implemented. Frozen after 
	check, check and double check. The source really suffered from
	porting and has become too ugly. It becomes a lot more readable
	after running through the unifdef program. Version 2beta released.

930119  Version 2 released after compatibility patches: rshd path; 
	disabling the local domain stripping in login.c; cleanup
	utmpx file after rejecting an rlogin connection.

930221	Added group support to the login access control code, so that we
	can disallow off-site logins to wheel group members.  Group
	matches work only for accounts that are explicitly listed in
	the group file: the matching is not based on group id values.

930222	Stole the code for the EXCEPT operator from the tcp wrapper.
	This, and the previous change, allows me to replace:

		# Disallow non-local logins into the wheel accounts
		+:foo bar baz:LOCAL .my.domain
		-:foo bar baz:ALL

	into the much easier to understand:

		-:wheel:ALL EXCEPT LOCAL .my.domain

	Assuming, of course, that the default is to permit access.

930331	Added per-program hints on how to configure syslogd.
	Added __svr4__ to the Solaris CFLAGS macro because the
	unbundled C compiler does not define it.

930925  Upped the number of ptys that telnetd and rlogind will attempt
	to open.  The original versions would give up after 64 ptys.

930925	rshd now preserves TZ info when running under SunOS 5.
	We were too compatible with SunOS 5. 

930925	login will now syslog() all regular logins, too. It took
	me too much time to examine individual wtmp files.

930929  Ultrix last minute patch to fix rshd environment handling. The
	fix must be ok for SunOS too but no time to verify this.

931206	With SunOS 5.x, Do not pass the "-p" option to login.

931212	Added logindevperm support for compatibility with SunOS 5.3.

931212	Added support to the login command for secure (DES) RPC (only
	for SunOS [45].x). This requires that the cleartext password be
	kept around until we have dropped privileges.  Had to jump some
	hoops to prevent the program from ever dropping core with a
	cleartext password.

931212	Print error message when the login.access file exists but
	cannot be opened.

931225	Added S/Key support to login 'cause I was going on a trip.

931229	While on my trip, added S/Key support to ftpd.

940106	Woke up at 5am and realized there was a problem in my S/Key stuff.

940107	S/Key Solaris portability fixes from Douglas Lee Schales.

940110	Make sure that keyinit does not produce world-writable files.

940112	SysV4.0 wtmpx portability fixes from Baruch Cochavy.

940124	Fixed some ftpd  and skey things that broke for Ultrix 4.x.

940125	Fix for Solaris uname(2) >0 return value. I fixed this before
	but somehow the change got misplaced. From Douglas Lee Schales.

940130	Made initial seed from skeyinit.c more random (use seconds
	instead of minutes). I managed to produce the same seed on
	multiple machines. The whole seed generation procedure sucks
	anyway:  taking the first two letters of a host name.

940205  Made initial seed from skeyinit.c more random (use last 5
	digits of current time in seconds).

940206	Fixed some login Makefile things that broke for Ultrix 4.x.

940206  Had some real fun with (argh) NIS+. The old BSD login code
	would blindly close all filedescriptors > 2 right AFTER it had
	processed the command-line options. I had to move the closing
	of open files right to the top of the main program. The reason
	for this is that all kinds of nisplus library routines secretly
	open sockets or files and keep them open forever. They get very
	upset when you unexpectedly close their open files.

940306  Finally got so disgusted from the BSD/SYSV #ifdefs that I
	began to clean up the login program. From now on we use POSIX
	instead of BSD/SYSV ifdefs.  Many of my personal enhancements
	are no longer conditional. Ultrix misses some definitions so
	login won't compile there anymore.

	Kerberos code for login.c (John DiMarco <jdd@cdf.toronto.edu>).

940312  Security feature: when S/Key decides whether UNIX passwords are
	ok, skip IP addresses listed for the remote host that appear to
	belong to someone else.

	Cleaned up the rlogind/telnetd code (POSIX interfaces instead
	of BSD/SYSV ifdefs).

	Changed the ftpd S/Key password prompt so that the MS-DOS
	`termkey' TSR can parse it.

940314  Cleaned up the ftpd code (POSIX interfaces instead of BSD/SYSV
	ifdefs).  Ultrix misses some definitions so ftpd won't compile
	there anymore. 

	All code now compiles and works on freebsd, which has become
	my development platform while traveling.

	The code compiles OK on an Indy running IRIX 5.something:
	just pretend to be sunos5.

940317  The telnetd/login programs no longer assume 7 or 8 bits, but
	leave CS7/CS8 tty settings alone.

940321	Modern rloginds seem to prefer 8-bit clean settings, so we
	force CS8 from now on.

940326	Our system administrator wanted netgroup support in the login
	access control file. This took only a few lines of code. A
	netgroup is written as @name, and can be used in host patterns
	and in user patterns.

	Included the keyinfo command and documentation, after getting
	rid of localisms.

	keyinit now restores the tty settings when it is interrupted.

	logdaemon-4.1.tar.Z released.

940426	Backwards compatibility code for Ultrix in login and ftpd.

	Added keysu (s/key su) command. This has little to do with
	daemon stuff but it just makes the package complete. This
	has been tested only with SunOS 4.x and FreeBSD.

	Unset FLUSHO in login.c, in case it helps.

940430  rexecd and rlogind now use the fd_set macros, to shut up
	the ANSI C compiler.

	converted net/2 su.1 man page to old -man macro style.

	William C. DenBesten asked for user@host patterns in the login
	access control files, so he could control many machines with
	just one set of rules. Fortunately, this took only a few lines
	of code.  The hostpart is matched against the local host name.
	With user@host patterns and netgroups you can build impressive
	patterns such as @usergroup@@hostgroup.

940505  Peter Kossakowski (dfn cert) mentioned he usefulness of the -l
	option to ignore user .rhosts files. On most systems, the
	ruserok() library function have no support for that, so a
	modified version is provided.

	As a bonus, '+' wildcards are by default no longer accepted.
	Instead a loud complaint is sent to the syslogd. The programs
	must be compiled without -DNOPLUS to re-enable '+' wildcards.

	The -l option is supported by rshd, rlogind and by the login
	program (rlogind must pass on the -l option when the login
	program does the hosts.equiv/rhosts processing).  Thus, in
	order to use -l you will have to replace both rlogind and login
	(and, of course, rshd).

	Most path names and syslog logging classes are now configurable
	from the Makefile.

940516	Fixed the README and released version 4.2.

940523  Just like the login, the ftpd now tries to avoid dumping core
	with cleartext or encrypted (shadow) passwords.

940628  Generalized the format of the /etc/skey.access file so you can
	permit/deny UNIX passwords depending on user, tty and/or host.
	There is a new manual page, skey/skey.access.5 that documents
	this new format.

940718	Fixed another thing that broke with Ultrix: in lib/rcmd.c
	moved an #endif up to above the rresvport() routine.

	Now that you can specify what terminals are secure, the S/Key
	code has been modified to always permit UNIX passwords on the
	console. This saves you the embarrasment of having to break
	into your own machine. Alas, on some systems the console is
	not called /dev/console.

	Released version 4.3.

940908  Added -user and -host support to ruserok().  No-one complained
	sofar, but most systems document it. Looks like one feature
	that Berkeley dropped.

	HP-UX and BSDI support from Howard Chu for login, keysu and
	s/key.

	Replaced Howard's "vendor" #ifdefs by "feature" #ifdefs.

	(s/key) When built with -DSECURETTY, the keysu command will not
	accept the root password unless it is invoked from a secure
	terminal.  Idea from Howard Chu.

	(s/key) "keyinit -s" would ask for counts up to 10000 but the
	actual limit is 9999 (Howard Chu). 

	(s/key) Eliminated a possible localhost vs localhost.domain
	clash (Howard Chu).

940910  Collected system dependencies in one central file (sys_defs.h)
	and cleaned up the Makefiles. This may help when porting to
	other systems.

940911  After discussions with Guido van Rooij, documented several host
	name and address spoofing loopholes that may cause S/Key to
	permit UNIX passwords to unauthorized clients.

940914/5 Porting rexecd, ftpd, rlogind and telnetd to HP-UX 9.0 was not
	impossibly difficult. The effort may be useful to someone.

940917  Disabled the `site' extensions (umask, chmod) for ftp guest
	logins.

940922	Replaced the MD4 code by the byte-order independent versions 
	from the NRL distribution on thumper.bellcore.com. MD4 is
	still the default. Edit the Makefile to switch to MD5.

940931  Idea from *Hobbit*: sites that cannot replace their login
	program create a dummy s/key account with as login shell a very
	much stripped-down skey-only login program.  The skeysh program
	is my result of such an exercise.

941002	Cleaned up docs and comments.

	Released version 4.4.
