README.TXT FSLOGIN 1.50 -------------------------------------------------------------- Full Screen Login A utility for all Novell NetWare users. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Please enter your Login Data º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ º º º Server YOUR_SERVER................ º º º º Userid YOUR_USERID................ º º º º Password ........................... º º º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ÚÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÁÄÄÄ¿ ³ (R) Äij ³o ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ ÚÄÄÄÄÄÁÐÄÄ¿ ³ Association of ³ ³ ³ÄÙ Shareware ÀÄÄij o ³ Professionals ÄÄÄÄÄij º ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÀÄÄÄÄÐÄÄÄÄÙ MEMBER FSLOGIN is a registered trademark of Confirm. Netware is a registered trademark of Novell, Inc. (c) Confirm 1993, All Rights Reserved October 1994 -------------------------------------------------------------- FOREWORD The idea to start with a login program actually came from users, who were dissatisfied with the standard command line utility. They wanted and needed 'something' more than a few lines of text on the screen when login was not possible, a better 'guidance' through the changing of passwords and an easier way to do what they have to do every day. And that is login to one or more servers. FSLOGIN version 1.0 was first published on March 1, 1993. In due time lots of new ideas were integrated in the product. FSLOGIN provides support for NetWare Name Service. This feature allows use of FSLOGIN in Name Service Domains without losing any functionality of NNS itself. For those sites that do not use NNS, but have accounts defined on more than one server, FSLOGIN has a Server Group feature that takes care of password synchronisation among servers in that group. Version 1.5 adds features that result in an extra security wall when accessing your corporate LAN with dialin PC's. A big thanks goes to a group of colleagues, friends and customers who have done a fine job of looking, testing, talking, phoning, faxing and criticizing. They helped, and often still help FSLOGIN growing. If you have any suggestions for improvement of this product, don't hesitate to tell us. It is our goal to make Full Screen Login as user friendly as possible. The author: Aad Slingerland TABLE OF CONTENTS CHAPTER 1: THE PURPOSE OF THIS PROGRAM CHAPTER 2: HOW TO INSTALL CHAPTER 3: HOW TO USE CHAPTER 4: SPECIAL KEYS CHAPTER 5: HOW TO CUSTOMIZE CHAPTER 6: PASSWORD EXPIRED! CHAPTER 7: MULTIPLE SERVER ENVIRONMENTS CHAPTER 8: FSLOGIN AND DIALIN SERVERS CHAPTER 9: SOME OTHER FEATURES APPENDIX A: SOME QUESTIONS AND ANSWERS APPENDIX B: ERRORLEVELS AND ERROR MESSAGES APPENDIX C: ERRORCODES FROM THE NETWORK APPENDIX D: CURRENT LIMITATIONS APPENDIX E: REGISTRATION AND SUPPORT APPENDIX F: THE SHAREWARE CONCEPT APPENDIX G: DISCLAIMER - AGREEMENT CHAPTER 1: THE PURPOSE OF THIS PROGRAM All the PC-users who are connected to a local area network with Novell servers, have at least one thing in common. They must login to the network, before applications and data become available. It's obvious that this is almost always done using the standard Novell login program. This command line utility, however, is not very attractive to use and does not do a fine job, when users must be informed about network exceptions or errors. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Login Error ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄı ³ ³ ³ The login process to the choosen file server ³ ³ with the choosen userid cannot be completed. ³ ³ ³ ³ One of the security measures prevented this. ³ ³ You will have to contact the system admini- ³ ³ strator to clear this situation. ³ ³ ³ ³ The errorcode and reason is: ³ ³ ³ ³ Errorcode : 197 ³ ³ Reason : Intruder lockout ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ FSLOGIN enhances the way users can login to a server, by providing a full screen, Novell menu style program. FSLOGIN is not only a different way to type some data, like the userid and the password, but does extensive checking of accounting and security exceptions. All kinds of reasons why a user cannot login to a server, are presented in clear text in a full screen window. Because the user is properly informed of certain exceptions, he or she will be able to communicate better with the system administrator, instead of complaining of not being able to login. The actual Novell login command line utility is only executed after various checks on correctness of names, accounting and security matters have been done. Almost nothing but a file server that goes down at that particular moment, can go wrong now. CHAPTER 2: HOW TO INSTALL? Installing the Full Screen Login program can be done in three stages. The first stage is always required. The stages two and three are optional, and using them depends on the preference of the system administrator. The first stage installs FSLOGIN on the Novell server, and is basically enough to make it available for use. The second stage is distributing one of the program files of FSLOGIN to PCs with a local hard disk. The benefit of this is, that this program is capable of 'finding' the sys:login directory, even if it is on some network drive like z:. The third stage is renaming the program fslogin.com to login.com. This makes the Full Screen Login program the one that's always used, and you don't have to change existing batch files, where 'login' is called. Stage One Execute the installation batch file (INSTALL.BAT) from the drive and directory where the distribution files reside. The installation procedure prompts for the language support files to install (currently English and Dutch) and installs the program and language support files to the directory sys:login. The file fslogin.com is also copied to the sys:public directory. All files except fslogin.ini are flagged read-only shareable. When you are using a NetWare 2.xx server, you must grant a trustee assignment to the group everyone, which gives this group read and file scan rights in the sys:login directory. That's all! Just type fslogin now. Stage Two Distribute the program fslogin.com to the local disk of the PCs in your network. Make sure that this program resides in a directory, that is in the PATH variable. From that moment on, your users will be able to login, even if they have logged out the last time from 'some' network drive, leaving sys:login on 'some' network drive letter, but the first. Stage Three Rename fslogin.com to login.com in both the directories sys:login and sys:public. When Stage Two has been used, also distribute login.com to the PCs with a hard disk. Local Disk Installation Version 1.4 can be installed on a local hard disk in addition to installation on a file server. In general, this should not be done because it creates a maintenance problem. However, there are situations where installation on a local disk is preferred. For example, when a workstation is connected to a LAN through a wide area link, program loading from a server is considerably slower compared to LAN speed. Example of a directory on a local harddisk: C:\NWCLIENT\IPX.COM C:\NWCLIENT\NETX.EXE C:\NWCLIENT\FSLOGIN.COM C:\NWCLIENT\FSLOGIN.OVL C:\NWCLIENT\FSLOGIN.CWA C:\NWCLIENT\FSLOGIN.HLP C:\NWCLIENT\LOGIN.EXE Note that the file fslogin.ini is not copied to this directory. This file is always read from the directory sys:login, because users should not be able to modify this file themselves. Note also that Novell's login.exe can also be copied to the same directory. This is optional but will speed up the login process. The only thing that needs to be done after installation is taking care that the copy of fslogin.com in the directory c:\nwclient is executed. This .com file does the rest. CHAPTER 3: HOW TO USE? Once installed, Full Screen Login is available. Just type FSLOGIN and the Login Data menu shows up. As you can see the name of the default server, to which the workstation is attached, is automatically placed in the Server field. For a first exercise, fill in the name of a userid you want to use and press the enter key. The highlight goes down to the Password field. When there is a password defined for this userid, fill it in. Otherwise leave this field blank. When all datafields are okay, press the enter key to confirm all the data to the program. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Userid and/or Password Error ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄı ³ ³ ³ The Userid and/or the Password is not correctly specified. ³ ³ Please retype the Userid and/or the Password. ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ At this moment the information that has been placed in the fields will be validated, and when something is wrong, you will be informed. When the validation is okay, and there are no other accounting and security restrictions, the login process continues with the execution of the system and user login scripts. You as a system supervisor, do not have to change anything to existing login scripts in order to use FSLOGIN. In contrast to the 'standard' Novell menu interface, the cursor is always visible in the input fields. This relieves the user from the unfriendly difference between moving between fields and editing them. When the highlight is moved to another field, that field automatically switches to edit mode and the cursor is shown. The keys to move between the fields are: tab, backtab, up arrow and down arrow. The enter key also moves the highlight down until used in the last field of a form. The keys to move the cursor in a field while editing are: home, end, left arrow and right arrow. CHAPTER 4: SPECIAL KEYS F1 = Help You might already have used the F1 key for online help. Most of the basics of this utility are explained here, and the average user should have enough information to do the job. The up arrow, down arrow, page up and page down let you scroll through the text, and the escape key brings you back again. F5 = ServerList When you are working in a multiple server environment, the ServerList function becomes valuable. Just press this key, to get an overview of all the file servers in your network, and pick one. Note that using the F5 key is independent of the currently highlighted field. It always works. There is an option to restrict the end-user view on the network by disabling the ServerList function or by limiting the ServerList to a custom specified list. See chapter 5 'How to Customize?' for more information. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ List of servers ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄı ³ ³EARTH ³ ³ ³JUPITER ³ ³ ³MARS ³ ³ ³MERCURIUS ³ ³ ³NEPTUNES ³ ³ ³PLUTO ³ ³ ³SATURNUS ³ ³ ³URANUS ³ ³ ³VENUS ³ ³ ³Z220 ³ ³ ³ ³ ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ F7 = Supervisor There is one specific userid, which is probably typed thousands of times each day by thousands of supervisors. Just press the F7 key and look what happens. FSLOGIN presents you a list with a few very often used names in it. Move the highlight to the one you need and press the Enter key. After pasting the chosen username is the Userid field, the highlight goes straight to the password field, since this is most likely the place you want to go. The three names that appear in the list right after installation is just an example. The names to appear in the list can be customized in the fslogin.ini file. See also chapter 5.1, the ULIST keyword. If security is very important and you do not want users to 'discover' the existence of a supervisor userid, you can turn this feature off by using the statement ULIST=0. CHAPTER 5: HOW TO CUSTOMIZE FSLOGIN has three ways to customize various options and program behaviour. The first one is modifying one of more of the options in the file fslogin.ini. This file resides in the sys:login directory, together with most other program files. The options that are specified here are system wide. They are valid for all users who are attached to this server. The second way to customize is using one or more command line parameters that override one or more of the system wide options from fslogin.ini. The usage of command line parameters apply only to that particular instance of FSLOGIN. The third way to customize FSLOGIN is using environment variables to pre-fill the Server and/or Userid fields with a specific value. 5.1: Fslogin.ini parameters The file fslogin.ini in the sys:login directory contains a number of parameters. Since fslogin.ini is a plain ASCII text file, it can be edited with any text editor. Comment lines start with a semicolon. The comment lines in the default fslogin.ini can be deleted if necessary. Days=0 - 9 The value of this parameter determines the number of days a user is invited to change a password, before the actual expiration date. Changing the password before the actual expiration date is not required, so when the user presses the escape key, he or she is logged in with the current, but soon expired password. This method, however, triggers the average user to start thinking about something new before it is too late. This option prevents unnecessary phone calls to the system supervisor. Dim=0 - 9 The build-in screen dimmer becomes active after a certain amount of keyboard inactivity. This amount of time, measured in minutes, can be customized with the Dim= parameter. When the value is 0, the build-in screen dimmer is disabled. See also the !nd command line parameter below. diTim=0 - 9 DialinTime specifies the maximum time in minutes allowed to login on a dialin host PC. This statement only has effect when used in combination with the !di command line option. See the next sub-chapter for command line arguments. When the dialinTime has elapsed, FSLOGIN takes action according to the value of the diAct parameter. diMax=0 - 9 DialinMax specifies the maximum number of login attempts that can be made by a user connected to a dialin host computer. When the user keeps on specifying incorrect information, like Servername, Userid and/or Password, FSLOGIN takes action according to the value of diAct. Like diTim this statement has only effect when the !di command line argument is used. diAct=0 or 1 DialinAction specifies what to do when one of the two above events happen. A value of 0 for diAct tells FSLOGIN to exit to DOS with an errorlevel. The errorlevels used are 2 for diTim and 3 for diMax. When diAct=1, FSLOGIN takes a more drastic security measure by trying to close the COM ports of the dialin host PC and starts rebooting. Esc=0 - 2 The escape key at the top level (the Login Data form) can be disabled or enabled with this parameter. In some environments the supervisor might want to force users to login before doing anything else on their workstation. A value of 0 disables 'escaping' from the top level menu. When the value is 1, the user can leave this application. When the value is 2, the user is prompted by a 'yes/no' box before exiting. See also the !ne command line parameter. Exp=0 or 1 This parameter switches the exploding windows effect on (1) or off (0). Some people like this exploding windows effect, others don't. So it's optional. Kbc=0 or 1 Up until version 1.4 the keyboard was always cleared when started. This can be turned off or on now using the fslogin.ini statement KBC=0 or KBC=1. Lws=0 or 1 Up until version 1.4 the current account was not logged out when FSLOGIN was started. In other words when the user did not actually login but pressed the escape key, he was back exactly where he was. Immediate Logout can be turned on using the fslogin.ini statement Logout When Started (LWS=1). Nns=0 - 2 NetWare Name Service support is switched on or off using this statement. A value of 0 disables NNS support. A value of 1 lets FSLOGIN automatically detect if the server is part of a Domain or not. A value of 2 always forces the Name Service Login Data form to be used. Pfp=0 - 3 The value of the Password Field Presentation parameter determines what the user sees when a password is typed. A value of 0 gives the same effect as a 'default' Novell menu style utility, and that is nothing. The cursor stays in the home position of the field and there is no further indication of what is typed. A value of 1 lets the cursor move as characters are typed, showing spaces instead of the actual typed characters. A value of 2 also moves the cursor and shows dots instead of spaces. A value of 3 also moves the cursor and shows a row of stars instead. Pro=0 or 1 This parameter is used in combination with the NetWare Name Service Login screen only. When set to zero, it's default, the Profile field contains the text 'default'. When set to one, the contents of the Profile field is synchronised with the contents of the Serverfield. So when a different server is picked from the Serverlist, both the Servername and the Profile will contain the new value. Note that the environment variable FS_PRO still overrides this system wide setting. Pss=0 or 1 The result of password synchronisation can be shown to the user or be left away. Password synchronisation is only active when working in a NNS domain or when a Server Group has been defined. Sdw=0 or 1 This parameter switches the shadow effect behind the windows on (1) or off (0). Sgroup=0 - 2 The Server Group function is disabled when the value of Sgroup is 0. This means that FSLOGIN does not attempt to synchronize a newly specified password on other servers. When the value of Sgroup equals 1, all the servers in the network will be considered as one Server Group. When a user specifies a new password for his 'home' server, FSLOGIN will attempt to synchronize this new password on all servers which have the same userid defined. The system administrator can restrict the servers in a Server Group by explicitaly specifying which servers belong to it. For example: Sgroup=2 home_Server second_server third_server The list of server names that comes directly after the Sgroup=2 statement can contain 16 names. Wildcards in each individual 'name' are allowed. For example: Sgroup=2 home_server other* Slist=0 - 3 When this parameter is set to 0, the ServerList function is disabled. When set to 1, the entire network is visible to the user. The system administrator can restrict the names of servers in the ServerList by explicitaly specifiing which servers may be seen. For example: Slist=2 home_Server second_server third_server The list of server names that comes directly after the Slist=2 statement can contain 16 names. Wildcards in each individual 'name' are allowed. For example: Slist=2 home_server other_* The user can be further restricted by not allowing the Servername field to be edited. This feature can be turned on when specifying 'Slist=3'. The effect is that the user can pick from the custom list of servers after the Slist statement, but is not able to alter the name in the Servername field. Ulist=0 or 2 This parameter defines the behaviour of the F7 key. In previous versions, the F7 key pasted the 'Supervisor' user name in the Userid field. Now it can be turned off, changed to another user name or even to a list of user names. The following example presents a small list with two user names when the F7 key is pressed. Ulist=2 Supervisor Lanvisor When you specify only one name in this list, most probably Supervisor, then there is no list on the screen and the F7 key functions the same as with previous versions of FSLOGIN. When you want to disable the F7 key, use the value 0 after the Ulist= parameter. UXList=0 or 2 Certain userid's like GUEST can be excluded from beeing used with put un the User eXclude List. 5.2: Command line parameters The following command line parameters are specified directly behind the command 'fslogin'. For example 'fslogin !ne'. These command line parameters are used to override some of the system wide options from the fslogin.ini file. !nd NoDimmer. The NoDimmer option might be useful when FSLOGIN is used in combination with asynchronous dial-in servers. !ne NoEscape. The user of this workstation must login first now. !ns NoServerlist. The ServerList function for this workstation is restricted now. !di Activate the dialin specific parameters in fslogin.ini. These specific dialin parameters are diTim, diMax and diAct. The use of !di also automatically activates !ne and !nd. 5.3: Environment variables To make daily use even more simple, two of the three fields in the Login Data form can be pre-filled. You might already have noticed that the Server field contains the name of the server, to which the PC is attached. This automatic filling in of a servername should be sufficient in single server environments, where there is nothing to choose. However, in a multiple server environment the server to which the PC is attached is not always the one users need to access. A DOS environment variable can be used to specify a different name as the default. Type the following command at the DOS command prompt. SET FS_SRV=MYSERVER When the program is started again the Server field will contain the string 'MYSERVER'. Another feature available here is the ServerList function. When the F5 key is pressed, the program reads the names of available servers in the network and presents a list on the screen. Just move the highlight and pick a name! The environment variable FS_PRO defines a 'default' profile for use in a NetWare Name Service environment. For example: SET FS_PRO=PROFILE_ONE The Userid field can be pre-filled as well with the use of another environment variable. Type the following command at the DOS command prompt. SET FS_UID=MYUSERID Now the Userid field will also come up with a default. When the pre-filled values for the Server and Userid are correct, the only thing the user has to do is type the corresponding password and press the enter key twice. There is a special form of the FS_UID variable, that can be useful when the userids in your organisation are highly structured. There are companies that use not so individual userids like ACCOUNT01, ACCOUNT02, ACCOUNT03 etc. And maybe SALES01, SALES02 and so on. The idea behind this is that the first part of the userid is always the same. The 'common' part of the userid string can be pre-filled by placing it in the environment variable FS_UID, followed by a tilde. For example: SET FS_UID=TECHNO~ Have a look at what happens! CHAPTER 6: PASSWORD EXPIRED! An expired password is almost always a source of inconvenience. Most users manage well reading the line mode text from the Novell Login program. Some other users will always succeed in locking up their userid and call for supervisor assistance. FSLOGIN helps most users taking this hurdle in a user friendly way and, most important, without help of a system administrator. The first step FSLOGIN takes is notifying the user that his password is going to expire some day in the near future, and, at the same time giving the user the possibility to change now. Here is what you get! ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Password Status º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ º Your current password is going to expire in 5 days. If you º º wish you can specify a new password now. Retype the new º º password again after the Verification prompt. This is a check º º to prevent typing errors. Your new password should be at º º least 4 characters long. º º º º New Password ..................................... º º º º Verification ..................................... º º º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ When the user takes no action the actual expiration date will come, and if the user wants to login, he will be forced to change the password now. It is possible to escape from the 'Password Expired Status' form, but there will be no login. This does not mean that the grace login mechanism of the Novell security system is not used any more. At least one grace login is needed to be able to change the current password into a new one. So do not set the grace login count for the users to zero! When there are no grace logins left, there is no way a user could login. Neither with the Novell login program, nor with any other program! CHAPTER 7: MULTIPLE SERVER ENVIRONMENTS FSLOGIN has support for password synchronisation in multiple server environments. Password synchronisation is needed for those users that are defined on more than one server. Basically there are two methods that are used in multiple server environments: NetWare Name Service NNS is a Novell product that is widely distributed among large corporations. The basic idea is to give each user a single login to the servers that are needed to do the job. When the system administrator creates a new user in an NNS Domain, that userid is created on all the servers in that domain. Depending on the specified Profile, the user is attached to one or more servers in the Domain. The ATTACH login script statement ATTACH statements are specified in either the system login script or the user login script. When a user does a login to his 'home' server the statements are executed and the user is automatically attached to a second, maybe a third server in the network. The userid must be defined on the 'other' servers as well and the passwords must be in sync. FSLOGIN supports both the Netware Name Service environment and the multiple server environment where the Attach method is used. 7.1: NetWare Name Service support When FSLOGIN is used in a NNS environment, it can be customized to present the user a NNS specific Login Data form. (See also the chapter on 'How to customize'). The user can specify a profile or leave this field to its default value. Like all other fields that are filled in, the Profile is validated for existence and authorization, before FSLOGIN continues. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Please enter your Login Data º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ º º º Server YOUR_DOMAIN_SERVER º º º º Profile DEFAULT º º º º Userid YOUR_USERID º º º º Password .......................... º º º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ When the password for a user expires (or will expire within a number of days in the near future) the user will be prompted to change the password. When the new password is validated FSLOGIN synchronises the new password on all the servers in that domain. The user is informed about the result of this synchronisation step. 7.2: Server Groups FSLOGIN has a new feature called Server Groups. This feature makes it possible to take care of password synchronisation in non-NNS environments. Two or more servers can be defined as a logical group, and FSLOGIN will treat this group as a domain. When a user is defined on more than one server in this group, FSLOGIN will take care of password synchronisation. What are the steps to be taken? Step One Define two or more servers as a group. This is done in the FSLOGIN.INI file by customizing the Sgroup (Server Group) statement. For Example: Sgroup=2 home_server other_server Step Two Define a new user on both servers and make sure the accounting restrictions and the inital password are the same. If you want to use an existing userid check that the accounting restrictions and password synchronisation status. Correct them if necessary. Step Three Login with that userid on the home server. Because the supervisor just defined the new account you will be prompted for a new password. Type a new password and see the result of the synchronisation step. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Synchronization Status ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄı ³ ³JUPITER ³ 0 Ok ³ ³ ³MARS ³252 No such userid ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ It is not necessary to define all users on all servers in the Server Group. Only those people that need to access the OTHER_SERVER need a corresponding userid and password. CHAPTER 8: FSLOGIN AND DIALIN SERVERS Most of the Local Area Networks are not only used from workstations that are directly attached. There is a growing need to access the data and programs on a corporate LAN from other geographical locations. This need for communication has led to products that turn a regular workstation in a LAN into a dialin host that can be accessed using regular telephone lines and modems. It's obvious that these gateways to programs and data need to have the mechanics to prevent unauthorised access. Many of the products that are on the market today have security options built in. FSLOGIN, however, adds an extra layer of access security to the Novell servers in the network. Once a remote user has a dialin connection to a dialin host on a LAN, that user has to pass the proper login information before data and or programs can be accessed. FSLOGIN has extra security options, which have been designed specifically for use on dialin host machines. First of all the amount of information that a user can 'see' in the FSLOGIN screen can be restricted to almost nothing. The user has to know the name of the Server, his/her userid and, off course, the corresponding password. The Serverlist feature of FSLOGIN can be turned off for individual workstations using the !ns command line option. This command line option overrules the global setting in fslogin.ini. Furthermore, the default name in the Server field can be suppressed using the environment variable FS_SRV=NONE. The next step in building a security wall is disabling the use of certain userids that are not easy to delete (GUEST for example) yet not meant for regular access by users. The User eXclude List feature makes this possible. This list is specified in the fslogin.ini file with the statement 'UXList'. When the dialin user accesses the host PC, it's obvious that FSLOGIN should not be terminated with the Escape key. This would allow the user to access the standard Novell command SLIST and LOGIN. Although the Escape key can be enabled or disabled globally in fslogin.ini, it can be disabled in specific situations using the !ne command line option. The next step is preventing a user from trying out all kinds of combinations of Server names, Userids and Passwords. Not that this is likely to succeed but these tryouts can be prevented using the following statements in FSLOGIN.INI. diMax=0 - 9 dialinMax defines the maximum number of login attempts that a user can make before FSLOGIN takes action. For example, when diMax= 3, the user can make three attempts to login and when the third attempt is invalid (invalid Servername, invalid Userid or invalid Password) the action specified in diAct is executed (see below). diTim=0 - 9 dialinTime specifies the maximum time in minutes that FSLOGIN waits for the user to login. When this time expires, FSLOGIN assumes that the connection between the dialin host and the PC at the other end should be terminated. See diAct below. diAct=0 or 1 The dialinAction parameter in FSLOGIN.INI specifies the action that should be taken when one of the two above events occur. When diAct=1 FSLOGIN tries to close the communication ports of the dialin host and then reboots the machine. No better way to break the connection between you and a hacker. When diAct=0 FSLOGIN does not reboot the dialin host but returns to DOS with a specific error level. The error level identifies the event that has occurred. The error levels are 2 for a diTim event and 3 for a diMax event. It is up to the procedure (batch file) that called FSLOGIN to handle these error levels. The batch file could, for example, execute a LOGOFF program, that is specific for a certain dialin software package. Note that although the later three parameters (diMax, diTim and diAct) are specified in fslogin.ini, they are only activated when FSLOGIN is started with the !di command line option. The !di command line argument also automatically activates the !ne (NoEscape) and the !nd (NoDimmer) options. The !ns (NoServerlist) is not automatically included. A sample batch file that starts dialin host software and FSLOGIN could look like this: ... SET FS_SRV=NONE ; no default server LSL ; Link Support Layer NE2000 ; Hardware driver IPXODI ; IPX protocol stack NETX ; NetWare Shell PCSOMEWHERE ; Wait here for dialin user! FSLOGIN !DI !NS ; Secure login ... The batch file continues with the next statement when the dialin user specifies the correct login information in the specified amount of time. Otherwise the dialin host PC can either be rebooted or FSLOGIN returns an error level to the batch file. CHAPTER 9: SOME OTHER FEATURES Dos Requester Version 1.4 is compatible with the Dos Requester (VLM's or Virtual Loadable Modules). Novell has updated the Dos Requester several times since the first introduction. At the time of this writing VLM version 1.20 is the current one. Login Script Parameters Full Screen Login has support for the optional parameters, that can be passed to the system login script. There is no separate field for this, but parameters can be typed in the Userid field after the name of user. Leave one space between the name of the user and the parameter. When the Userid field seems to be full, just type ahead and see the text scroll. The combined length of the name of the user and the optional parameters cannot exceed 64 bytes. Command line mode FSLOGIN does not only work full screen, but is also command line compatible with the Novell login command. The fslogin.com program does in fact pass the command line that is typed to the login.exe program. The advantage of using FSLOGIN is that the sys:login directory will be searched for and set to the first network drive letter. No more manual searching for drive 'x'. Monochrome VGA FSLOGIN works with monochrome VGA monitors without manually setting a specific video mode with the mode command. Your Company Name Since version 1.1. a RRS (Registration Reminder Screen) has been added. This is the small window below the Login Data window, that contains the text 'Unregistered 30 days Evaluation Copy'. When you register you should specify a text string that you want to appear in this window. This text string should contain company information like the name of the company and perhaps the name of the department which does the registration. See the document REGISTER.xx for further instructions. APPENDIX A: SOME QUESTIONS AND ANSWERS Question 1 When I want to use your program, do I have to throw away my existing login scripts? No you don't. Full Screen Login does not replace the Novell login.exe and corresponding login scripts. It adds full screen support and extensive error and exception reporting, without throwing away your already made effort. Question 2 Why is the fslogin.com the only program to copy to the sys:public directory? In order to conserve a bit of disk space, and make eventual updates as easy as possible to install, there is only one place for the overlay and other support files, and that is the sys:login directory. The file fslogin.com is the only one to copy to the public directory. Question 3 I have just installed your product, but I receive the message: 'The FSLOGIN.OVL program could not be executed.'. The most probable cause is, that you run the program fslogin.com from a local hard disk, but the server you are attached to does not have Full Screen Login installed. Use the NETX option 'PS=MYSERVER' to make the correct server the default, or better, install Full Screen Login on the other servers as well (see also sitelice.doc). Question 4 I installed Full Screen Login, but whenever I want to use it I receive the message: 'The LOGIN.EXE program cannot be executed.'. Did you rename the original Novell login.exe? If yes, rename it back or make a copy of it. Question 5 I work for a large company with 257 file servers in a network. When I use the ServerList function, there are only 255 file servers in the list. The current limitation of the ServerList function is 255 names. If this really is a problem, please contact Confirm. Question 6 Your program does not support grace logins. What should I do with the currently defined grace logins? Don't throw away the grace option for your users! When you disable grace logins, there will be no way the user can change the password, neither with the FSLOGIN program, nor with any other login program. In fact Full Screen Login needs some grace logins to remain, in order to be able to change the password. It's also worth mentioning, that when a user presses the escape key in the Password Expired Status form, the number of Grace Logins Left will be decremented by one. In fact Full Screen Login did do a login function call once to find out that the password had expired. Question 7 During the installation, stage one, I have to add a trustee assignment to the sys:login directory for the group EVERYONE. Why is this for NetWare 2.xx only? Because NetWare 3.11 already gives EVERYONE access to the sys:login directory, even after login. NetWare 2.xx did 'hide' the sys:login directory after login. APPENDIX B: ERRORLEVELS AND ERROR MESSAGES EL Meaning ... ------------------------------------------ 0 Login ok 1 The user pressed the escape key 2 The diTim event has occurred. 3 The diMax event has occurred. 4,5 Reserved 6 Login has executed, but a failure occurred. The returncode is: .. (hex) 7 Reserved 8 FSLOGIN.OVL or LOGIN.EXE could not be executed. Dos extended errorcode: .. (hex) 9 Shell/Requester/Network not available. APPENDIX C: ERRORCODES FROM THE NETWORK 147 No read privileges The program tried to read information from the bindery, but the operating system did not allow this. Normally this error should not occur and might indicate problems with the bindery. 150 Server out of memory This situation means real trouble. For some reason memory cannot be allocated for certain tasks. Shutdown any NLM that is not strictly needed and try to clean up as many connections as possible. There might be only one way to deal with this problem and that is RAM. 193 No account balance This userid, also called account, has no initial account balance to work with. The supervisor should assign an account balance with syscon. This only occurs on servers with an activated (Novell) accounting system. 194 Credit exceeded The user has no more credits to continue working. The supervisor should assign enough credit to the user. This only occurs on servers with an activated (Novell) accounting system. 197 Intruder lockout There has been a number of attempts to login with this userid in combination with incorrect password. The user either has to wait for the intruder lockout time to expire, or the intruder lockout can be cleared by the supervisor. This error can only occur when the intruder lockout mechanism on the server is activated with syscon. 215 Password not unique The newly typed password has been used before. NetWare can keep a record of a number of used passwords on a per user basis. This option can be switched on or off with syscon for individual users. 216 Password too short The newly typed password is too short. NetWare requires passwords to have a minimum length. This minimum length can be set on a per user basis with syscon. 217 Maximum connections in use The user tried to login from more than one workstation at the same time, while a limit has been defined for this user. Either the limit could be increased for this user or the user should logout from other workstations first. 218 Not authorized at this time There is a time restriction for this user, which prevents login at this moment. Time restrictions are set system wide or on a per user basis by the supervisor. 219 Not authorized at this station There is a station restriction for this account. For security reasons certain accounts can be restricted to be able to login from certain workstations only. 220 Account disabled The account (userid) exists but cannot be used, because it has been disabled by the supervisor. 222 Password disabled The current password for the user has expired, and there are no more grace logins available. The supervisor must assign another password to this user to be able to continue. It is advisable to give users a number of grace logins, so that they will be able to change their password themselves. 223 Password expired The password expiration date has been reached or even passed, but there are grace logins available. FSLOGIN warns the user and presents a Password Status window. The user must change his password now. 232 Write property to group This error indicates a problem with the bindery. Re-try the operation and when the problem persists, run the bindfix utility. 236 No such segment The bindery was queried for some information, but the expected piece of information was not there. This error could also mean some problems with the structure of the bindery. 239 Invalid name The bindery was queried for some information, but NetWare responded that the name used was not valid. This error could indicate a bindery problem or a programming error in FSLOGIN. 240 Wildcard not allowed A wildcard was used when the bindery was updated. Some information to be placed in the bindery cannot contain wildcards like '*' and '?' 241 Invalid bindery security The current user has no rights to read from or write to the bindery. This problem could indicate a problem in the bindery structure. 248 No property write privilege The current user has no rights to write to the bindery. Normally this should not occur, because the only update the user does, is changing his own password. 249 No free connection slots The NetWare shell has run out of connections slots. There are eight connections possible with eight different servers. Logout from a server that is no longer needed. 250 No more server slots The server has reached its limit for the number of connections. This number is determined by the license that is running on the server (5 .. 250 users). The supervisor can try to clear some unused connections with Fconsole (NetWare 2.xx) or Monitor (NetWare 3.x). 251 No such property The program tried to read a property from the bindery and the property is not there. Again this could be a reason to run bindfix. 252 No such object The program tried to read an object from the bindery and the object is not there. 254 Server bindery locked Bindery read or write actions are not possible, because the bindery is not available. This can be the result of a program that has closed the bindery. Programs that close the bindery are for example bindfix and most backup restore programs. The bindery should be re- opened again when these programs have done their job. If this is not the case the server has to be brought down and started up again. 255 No response from server This errorcode can represent several errors, by which the server is not responding properly to workstation requests. APPENDIX D: CURRENT LIMITATIONS NetWare 4.02 The current version of FSLOGIN does not support NetWare Directory Services. Accessing a NetWare 4.02 server can be done when bindery emulation mode has been installed. There is, however, one additional installation step that has to be done. The NetWare 4.02 should be provided with a NetWare 3.11 or 3.12 login.exe program. Rename the NetWare 4.02 login.exe to something like log402.exe and copy a NetWare 3.11 or 3.12 login.exe to the sys:login directory using the original name 'login.exe'. The 3.11 login.exe is smaller and faster than the log402.exe and can be used for bindery emulation mode access. FSLOGIN works in combination with the 3.11 login.exe installed on the 4.02 server. APPENDIX E: REGISTRATION AND SUPPORT Feel free to use Full Screen Login for a trial period of 30 days. After this period you are expected to register or stop using it. The registration fee is based on a single file server license. When used on more servers, each server should have its own license or better, a site license should be obtained. See the document SITELICE.DOC. Registered users receive a printed manual together with the latest release of FSLOGIN, which is 'personalised' with the name of their company or otherwise custom specified text. Registered users will receive one free update when a new version becomes available. Registered users are offered free support for a period of six months. Please use either CompuServe mail, Telefax, Fidonet or phone in this preferred order. It is the author's goal to answer all questions within a reasonable amount of time. CompuServe : 100334,572 Fidonet : 2:512/250.359 Telefax : (+31) 8360 - 41580 Phone : (+31) 8360 - 24988 Due to international regulations our phone and faxnumber will change in 1995. From October 10, 1995 the numbers will be: Phone: +31 - 316 - 524988 Fax : +31 - 316 - 341580 Registration differs for the Netherlands, the United States and other countries. When neither the Netherlands nor the US apply to you, you are expected to follow the US procedure, or contact Confirm for another arrangement. See also the REGISTER.xx forms on the distribution diskette or the archive file. APPENDIX F: THE SHAREWARE CONCEPT Shareware distribution gives users a chance to try software before buying it. If you try a Shareware program and continue using it, you are expected to register. Individual programs differ on details. Some request registration while others require it, some specify a maximum trial period. With registration, you get anything from the simple right to continue using the software to an updated program. Copyright laws apply to both Shareware and commercial software, and the copyright holder retains all rights, with a few specific exceptions as stated below. Shareware authors are accomplished programmers, just like commercial authors, and the programs are of comparable quality. (In both cases, there are good programs and bad ones!) The main difference is in the method of distribution. The author specifically grants the right to copy and distribute the software, either to all or to a specific group. For example, some authors require written permission before a commercial disk vendor may copy their software. Shareware is a distribution method, not a type of software. You should find software that suits your needs, whether it's commercial or Shareware. The Shareware system makes fitting your needs easier, because you can try before you buy. And because the overhead is low, prices are also low. Shareware has the ultimate money-back guarantee -- if you don't use the product, you don't pay for it. The Ombudsman This program is produced by a member of the Association of Shareware Professionals (ASP). ASP wants to make sure that the shareware principle works for you. If you are unable to resolve a shareware-related problem with an ASP member by contacting the member directly, ASP may be able to help. The ASP Ombudsman can help you resolve a dispute or problem with an ASP member, but does not provide technical support for members' products. Please write to the ASP Ombudsman at 545 Grover Road, Muskegon, MI 49442-9427 USA, FAX 616-788-2765 or send a CompuServe message via CompuServe Mail to ASP Ombudsman 70007,3536. APPENDIX G: DISCLAIMER - AGREEMENT Users of FSLOGIN must accept this disclaimer of warranty: "FSLOGIN is supplied as is. The author or Confirm disclaims all warranties, expressed or implied, including, without limitation, the warranties of merchantability and of fitness for any purpose. The author assumes no liability for damages, direct or consequential, which may result from the use of FSLOGIN." FSLOGIN is a "shareware program" and is provided at no charge to the user for evaluation. Feel free to share it with your friends, but please do not give it away altered or as part of another system. The essence of "user-supported" software is to provide personal computer users with quality software without high prices, and yet to provide incentive for programmers to continue to develop new products. If you find this program useful and find that you are using FSLOGIN and continue to use FSLOGIN after a trial period of 30 days, you must make a registration payment to Confirm. The registration fee will license one copy for use on any one Novell NetWare server at any one time. You must treat this software just like a book. An example is that this software may be used by any number of people and may be freely moved from one server location to another, so long as there is no possibility of it being used at one location while it's being used at another. Just as a book cannot be read by two different persons at the same time. Users of FSLOGIN must register and pay for their copies of FSLOGIN within 30 days of first use or their license will be withdrawn. Anyone distributing FSLOGIN for any kind of remuneration must first contact Confirm at the address below for authorization. This authorization will be automatically granted to distributors recognized by the (ASP) as adhering to its guidelines for shareware distributors, and such distributors may begin offering FSLOGIN immediately (However Confirm must still be advised so that the distributor can be kept up-to-date with the latest version of FSLOGIN). You are encouraged to pass a copy of FSLOGIN along to your friends for evaluation. Please encourage them to register their copy if they find that they can use it. Confirm Ardechelaan 35 6904 NG ZEVENAAR The Netherlands CompuServe : 100334,572 Fidonet : 2:512/250.359 Telefax : (+31) 8360 - 41580 Phone : (+31) 8360 - 24988 Due to international regulations our phone and faxnumber will change in 1995. From October 10, 1995 the numbers will be: Phone: +31 - 316 - 524988 Fax : +31 - 316 - 341580 (c) Confirm 1993, All Rights Reserved. October 1994 --------------------------------------------------------------