Password Protection Using Dial-up Passwords

You can add a layer of security to your password protection by requiring a dial-up password for users who access a system through a modem or dial-up port. A dial-up password is an additional password that a user must enter before being granted access to the system.

Only superuser can create or change a dial-up password. To ensure the integrity of the system, the password should be changed about once a month. The most effective use of this feature is to require a dial-up password to gain access to a gateway system.

Two files are involved in creating a dial-up password, /etc/dialups and /etc/d_passwd. The first file contains a list of ports that require a dial-up password. The second file contains a list of shell programs that require an encrypted password as the additional dial-up password.

If the user's login program (as specified in /etc/passwd) is not found in /etc/d_passwd, or if the login shell field in /etc/passwd is null, the password entry for /usr/bin/sh is used.

• If the user's login shell in /etc/passwd matches an entry in /etc/d_passwd, the user must supply a dial-up password.

• If the user's login shell in /etc/passwd is not found in /etc/d_passwd, the user must supply the default password. The default password is the entry for /usr/bin/sh.

• If the login shell field in /etc/passwd is empty, the user must supply the default password (the entry for /usr/bin/sh).

• If /etc/d_passwd has no entry for /usr/bin/sh, then those users whose login shell field in /etc/passwd is empty or does not match any entry in /etc/d_passwd will not be prompted for a dial-up password.

• Dial-up logins are disabled if /etc/d_passwd has only the following entry: /usr/bin/sh:*:

How to Create a Dial-up Password

When you first establish a dial-up password, be sure to remain logged in on at least one port while you are testing the password on a different port. If you make a mistake while you are installing the extra password and log off to test the new password, you might not be able to log back on. If you are still logged in on another port, you can go back and fix your mistake.

1. Become superuser or assume an equivalent role.

2. Create an /etc/dialups file that contains a list of serial devices, including all the ports that will require dial-up password protection.

   The /etc/dialups file should look like the following:

   /dev/term/a /dev/term/b /dev/term/c

3. Create an /etc/d_passwd file that contains the login programs that will require a dial-up password, and the encrypted dial-up password.

   Include shell programs that a user could be running at login, for example, uucico, sh, ksh, and csh. The /etc/d_passwd file should look like the following:

   /usr/lib/uucp/uucico:encrypted-password: /usr/bin/csh:encrypted-password: /usr/bin/ksh:encrypted-password: /usr/bin/sh:encrypted-password:

4. Set ownership to root on the two files.

   # chown root /etc/dialups /etc/d_passwd

5. Set group ownership to root on the two files.

   # chgrp root /etc/dialups /etc/d_passwd

6. Set read and write permissions for root on the two files.

   # chmod 600 /etc/dialups /etc/d_passwd

7. Create the encrypted passwords.

   1. Create a temporary user.

      # useradd username

   2. Create a password for the temporary user.

      # passwd username

   3. Capture the encrypted password.

      # grep username /etc/shadow > username.temp

   4. Edit the username.temp file.

      Delete all fields except the encrypted password (the second field).

      For example, in the following line, the encrypted password is U9gp9SyA/JlSk.

      temp:U9gp9SyA/JlSk:7967:::::7988:

   5. Delete the temporary user.

      # userdel username

8. Copy the encrypted password from username.temp file into the /etc/d_passwd file.

   You can create a different password for each login shell, or use the same password for each login shell.

How to Temporarily Disable Dial-up Logins

1. Become superuser or assume an equivalent role.

2. Put the following entry by itself into the /etc/d_passwd file:

   /usr/bin/sh:*: