home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Netware Super Library
/
Netware Super Library.iso
/
loginout
/
fslogin
/
readme.txt
< prev
next >
Wrap
Text File
|
1994-10-13
|
60KB
|
1,463 lines
README.TXT FSLOGIN 1.50
--------------------------------------------------------------
Full Screen Login
A utility for all Novell NetWare users.
╔════════════════════════════════════════════════════╗
║ Please enter your Login Data ║
╠════════════════════════════════════════════════════╣
║ ║
║ Server YOUR_SERVER................ ║
║ ║
║ Userid YOUR_USERID................ ║
║ ║
║ Password ........................... ║
║ ║
╚════════════════════════════════════════════════════╝
┌─────────┐
┌─────┴───┐ │ (R)
──│ │o │──────────────────
│ ┌─────┴╨──┐ │ Association of
│ │ │─┘ Shareware
└───│ o │ Professionals
──────│ ║ │────────────────────
└────╨────┘ MEMBER
FSLOGIN is a registered trademark of Confirm.
Netware is a registered trademark of Novell, Inc.
(c) Confirm 1993, All Rights Reserved October 1994
--------------------------------------------------------------
FOREWORD
The idea to start with a login program actually came
from users, who were dissatisfied with the standard
command line utility. They wanted and needed
'something' more than a few lines of text on the screen
when login was not possible, a better 'guidance'
through the changing of passwords and an easier way
to do what they have to do every day. And that is login
to one or more servers.
FSLOGIN version 1.0 was first published on March 1,
1993. In due time lots of new ideas were integrated in
the product. FSLOGIN provides support for NetWare
Name Service. This feature allows use of FSLOGIN in
Name Service Domains without losing any functionality
of NNS itself. For those sites that do not use NNS, but
have accounts defined on more than one server,
FSLOGIN has a Server Group feature that takes care of
password synchronisation among servers in that group.
Version 1.5 adds features that result in an extra
security wall when accessing your corporate LAN with
dialin PC's.
A big thanks goes to a group of colleagues, friends and
customers who have done a fine job of looking, testing,
talking, phoning, faxing and criticizing. They helped,
and often still help FSLOGIN growing. If you have any
suggestions for improvement of this product, don't
hesitate to tell us. It is our goal to make Full Screen
Login as user friendly as possible.
The author: Aad Slingerland
TABLE OF CONTENTS
CHAPTER 1: THE PURPOSE OF THIS PROGRAM
CHAPTER 2: HOW TO INSTALL
CHAPTER 3: HOW TO USE
CHAPTER 4: SPECIAL KEYS
CHAPTER 5: HOW TO CUSTOMIZE
CHAPTER 6: PASSWORD EXPIRED!
CHAPTER 7: MULTIPLE SERVER ENVIRONMENTS
CHAPTER 8: FSLOGIN AND DIALIN SERVERS
CHAPTER 9: SOME OTHER FEATURES
APPENDIX A: SOME QUESTIONS AND ANSWERS
APPENDIX B: ERRORLEVELS AND ERROR MESSAGES
APPENDIX C: ERRORCODES FROM THE NETWORK
APPENDIX D: CURRENT LIMITATIONS
APPENDIX E: REGISTRATION AND SUPPORT
APPENDIX F: THE SHAREWARE CONCEPT
APPENDIX G: DISCLAIMER - AGREEMENT
CHAPTER 1: THE PURPOSE OF THIS PROGRAM
All the PC-users who are connected to a local area network
with Novell servers, have at least one thing in common. They
must login to the network, before applications and data become
available. It's obvious that this is almost always done using
the standard Novell login program. This command line utility,
however, is not very attractive to use and does not do a fine
job, when users must be informed about network exceptions or
errors.
┌──────────────────────────────────────────────┐
│ Login Error │
├──────────────────────────────────────────────▒
│ │
│ The login process to the choosen file server │
│ with the choosen userid cannot be completed. │
│ │
│ One of the security measures prevented this. │
│ You will have to contact the system admini- │
│ strator to clear this situation. │
│ │
│ The errorcode and reason is: │
│ │
│ Errorcode : 197 │
│ Reason : Intruder lockout │
│ │
└──────────────────────────────────────────────┘
FSLOGIN enhances the way users can login to a server, by
providing a full screen, Novell menu style program. FSLOGIN is
not only a different way to type some data, like the userid
and the password, but does extensive checking of accounting
and security exceptions. All kinds of reasons why a user
cannot login to a server, are presented in clear text in a
full screen window. Because the user is properly informed of
certain exceptions, he or she will be able to communicate
better with the system administrator, instead of complaining
of not being able to login.
The actual Novell login command line utility is only executed
after various checks on correctness of names, accounting and
security matters have been done. Almost nothing but a file
server that goes down at that particular moment, can go wrong
now.
CHAPTER 2: HOW TO INSTALL?
Installing the Full Screen Login program can be done in three
stages.
The first stage is always required. The stages two and three
are optional, and using them depends on the preference of the
system administrator.
The first stage installs FSLOGIN on the Novell server, and is
basically enough to make it available for use.
The second stage is distributing one of the program files of
FSLOGIN to PCs with a local hard disk. The benefit of this is,
that this program is capable of 'finding' the sys:login
directory, even if it is on some network drive like z:.
The third stage is renaming the program fslogin.com to
login.com. This makes the Full Screen Login program the one
that's always used, and you don't have to change existing
batch files, where 'login' is called.
Stage One
Execute the installation batch file (INSTALL.BAT) from the
drive and directory where the distribution files reside. The
installation procedure prompts for the language support files
to install (currently English and Dutch) and installs the
program and language support files to the directory sys:login.
The file fslogin.com is also copied to the sys:public
directory. All files except fslogin.ini are flagged read-only
shareable.
When you are using a NetWare 2.xx server, you must grant a
trustee assignment to the group everyone, which gives this
group read and file scan rights in the sys:login directory.
That's all! Just type fslogin now.
Stage Two
Distribute the program fslogin.com to the local disk of the
PCs in your network. Make sure that this program resides in a
directory, that is in the PATH variable. From that moment on,
your users will be able to login, even if they have logged out
the last time from 'some' network drive, leaving sys:login on
'some' network drive letter, but the first.
Stage Three
Rename fslogin.com to login.com in both the directories
sys:login and sys:public. When Stage Two has been used, also
distribute login.com to the PCs with a hard disk.
Local Disk Installation
Version 1.4 can be installed on a local hard disk in addition
to installation on a file server. In general, this should not
be done because it creates a maintenance problem.
However, there are situations where installation on a local
disk is preferred. For example, when a workstation is connected
to a LAN through a wide area link, program loading from a
server is considerably slower compared to LAN speed.
Example of a directory on a local harddisk:
C:\NWCLIENT\IPX.COM
C:\NWCLIENT\NETX.EXE
C:\NWCLIENT\FSLOGIN.COM
C:\NWCLIENT\FSLOGIN.OVL
C:\NWCLIENT\FSLOGIN.CWA
C:\NWCLIENT\FSLOGIN.HLP
C:\NWCLIENT\LOGIN.EXE
Note that the file fslogin.ini is not copied to this
directory. This file is always read from the directory
sys:login, because users should not be able to modify this
file themselves. Note also that Novell's login.exe can
also be copied to the same directory. This is optional
but will speed up the login process. The only thing that
needs to be done after installation is taking care that
the copy of fslogin.com in the directory c:\nwclient is
executed. This .com file does the rest.
CHAPTER 3: HOW TO USE?
Once installed, Full Screen Login is available. Just type
FSLOGIN and the Login Data menu shows up. As you can see the
name of the default server, to which the workstation is
attached, is automatically placed in the Server field. For a
first exercise, fill in the name of a userid you want to use
and press the enter key. The highlight goes down to the
Password field. When there is a password defined for this
userid, fill it in. Otherwise leave this field blank. When all
datafields are okay, press the enter key to confirm all the
data to the program.
┌────────────────────────────────────────────────────────────┐
│ Userid and/or Password Error │
├────────────────────────────────────────────────────────────▒
│ │
│ The Userid and/or the Password is not correctly specified. │
│ Please retype the Userid and/or the Password. │
│ │
└────────────────────────────────────────────────────────────┘
At this moment the information that has been placed in the
fields will be validated, and when something is wrong, you
will be informed.
When the validation is okay, and there are no other accounting
and security restrictions, the login process continues with
the execution of the system and user login scripts. You as a
system supervisor, do not have to change anything to existing
login scripts in order to use FSLOGIN.
In contrast to the 'standard' Novell menu interface, the
cursor is always visible in the input fields. This relieves
the user from the unfriendly difference between moving between
fields and editing them. When the highlight is moved to
another field, that field automatically switches to edit mode
and the cursor is shown. The keys to move between the fields
are: tab, backtab, up arrow and down arrow. The enter key also
moves the highlight down until used in the last field of a
form. The keys to move the cursor in a field while editing
are: home, end, left arrow and right arrow.
CHAPTER 4: SPECIAL KEYS
F1 = Help
You might already have used the F1 key for online help. Most
of the basics of this utility are explained here, and the
average user should have enough information to do the job. The
up arrow, down arrow, page up and page down let you scroll
through the text, and the escape key brings you back again.
F5 = ServerList
When you are working in a multiple server environment, the
ServerList function becomes valuable. Just press this key, to
get an overview of all the file servers in your network, and
pick one.
Note that using the F5 key is independent of the currently
highlighted field. It always works. There is an option to
restrict the end-user view on the network by disabling the
ServerList function or by limiting the ServerList to a custom
specified list. See chapter 5 'How to Customize?' for more
information.
┌──────────────────────────────┐
│ List of servers │
├──────────────────────────────▒
│ │EARTH │
│ │JUPITER │
│ │MARS │
│ │MERCURIUS │
│ │NEPTUNES │
│ │PLUTO │
│ │SATURNUS │
│ │URANUS │
│ │VENUS │
│ │Z220 │
│ │ │
│ │ │
└──────────────────────────────┘
F7 = Supervisor
There is one specific userid, which is probably typed
thousands of times each day by thousands of supervisors. Just
press the F7 key and look what happens. FSLOGIN presents you
a list with a few very often used names in it. Move the
highlight to the one you need and press the Enter key. After
pasting the chosen username is the Userid field, the highlight
goes straight to the password field, since this is most likely
the place you want to go. The three names that appear in the
list right after installation is just an example. The names to
appear in the list can be customized in the fslogin.ini file.
See also chapter 5.1, the ULIST keyword. If security is very
important and you do not want users to 'discover' the
existence of a supervisor userid, you can turn this feature
off by using the statement ULIST=0.
CHAPTER 5: HOW TO CUSTOMIZE
FSLOGIN has three ways to customize various options and
program behaviour. The first one is modifying one of more of
the options in the file fslogin.ini. This file resides in the
sys:login directory, together with most other program files.
The options that are specified here are system wide. They are
valid for all users who are attached to this server. The
second way to customize is using one or more command line
parameters that override one or more of the system wide
options from fslogin.ini. The usage of command line parameters
apply only to that particular instance of FSLOGIN. The third
way to customize FSLOGIN is using environment variables to
pre-fill the Server and/or Userid fields with a specific
value.
5.1: Fslogin.ini parameters
The file fslogin.ini in the sys:login directory contains a
number of parameters. Since fslogin.ini is a plain ASCII text
file, it can be edited with any text editor. Comment lines
start with a semicolon. The comment lines in the default
fslogin.ini can be deleted if necessary.
Days=0 - 9
The value of this parameter determines the number of days a
user is invited to change a password, before the actual
expiration date. Changing the password before the actual
expiration date is not required, so when the user presses the
escape key, he or she is logged in with the current, but soon
expired password. This method, however, triggers the average
user to start thinking about something new before it is too
late. This option prevents unnecessary phone calls to the
system supervisor.
Dim=0 - 9
The build-in screen dimmer becomes active after a certain
amount of keyboard inactivity. This amount of time, measured
in minutes, can be customized with the Dim= parameter. When
the value is 0, the build-in screen dimmer is disabled. See
also the !nd command line parameter below.
diTim=0 - 9
DialinTime specifies the maximum time in minutes allowed to
login on a dialin host PC. This statement only has effect when
used in combination with the !di command line option.
See the next sub-chapter for command line arguments.
When the dialinTime has elapsed, FSLOGIN takes action
according to the value of the diAct parameter.
diMax=0 - 9
DialinMax specifies the maximum number of login attempts
that can be made by a user connected to a dialin host
computer. When the user keeps on specifying incorrect
information, like Servername, Userid and/or Password,
FSLOGIN takes action according to the value of diAct.
Like diTim this statement has only effect when the !di
command line argument is used.
diAct=0 or 1
DialinAction specifies what to do when one of the two above
events happen. A value of 0 for diAct tells FSLOGIN to exit
to DOS with an errorlevel. The errorlevels used are 2 for
diTim and 3 for diMax.
When diAct=1, FSLOGIN takes a more drastic security measure
by trying to close the COM ports of the dialin host PC and
starts rebooting.
Esc=0 - 2
The escape key at the top level (the Login Data form) can be
disabled or enabled with this parameter. In some environments
the supervisor might want to force users to login before doing
anything else on their workstation. A value of 0 disables
'escaping' from the top level menu. When the value is 1, the
user can leave this application. When the value is 2, the user
is prompted by a 'yes/no' box before exiting. See also the !ne
command line parameter.
Exp=0 or 1
This parameter switches the exploding windows effect on (1) or
off (0). Some people like this exploding windows effect,
others don't. So it's optional.
Kbc=0 or 1
Up until version 1.4 the keyboard was always cleared when started.
This can be turned off or on now using the fslogin.ini statement
KBC=0 or KBC=1.
Lws=0 or 1
Up until version 1.4 the current account was not logged out when
FSLOGIN was started. In other words when the user did not actually
login but pressed the escape key, he was back exactly where he was.
Immediate Logout can be turned on using the fslogin.ini statement
Logout When Started (LWS=1).
Nns=0 - 2
NetWare Name Service support is switched on or off using this
statement. A value of 0 disables NNS support. A value of 1
lets FSLOGIN automatically detect if the server is part of a
Domain or not. A value of 2 always forces the Name Service
Login Data form to be used.
Pfp=0 - 3
The value of the Password Field Presentation parameter
determines what the user sees when a password is typed.
A value of 0 gives the same effect as a 'default' Novell menu
style utility, and that is nothing. The cursor stays in the
home position of the field and there is no further indication
of what is typed.
A value of 1 lets the cursor move as characters are typed,
showing spaces instead of the actual typed characters.
A value of 2 also moves the cursor and shows dots instead of
spaces.
A value of 3 also moves the cursor and shows a row of stars
instead.
Pro=0 or 1
This parameter is used in combination with the NetWare Name
Service Login screen only. When set to zero, it's default, the
Profile field contains the text 'default'. When set to one,
the contents of the Profile field is synchronised with the
contents of the Serverfield. So when a different server is
picked from the Serverlist, both the Servername and the
Profile will contain the new value. Note that the environment
variable FS_PRO still overrides this system wide setting.
Pss=0 or 1
The result of password synchronisation can be shown to the
user or be left away. Password synchronisation is only active
when working in a NNS domain or when a Server Group has been
defined.
Sdw=0 or 1
This parameter switches the shadow effect behind the windows
on (1) or off (0).
Sgroup=0 - 2
The Server Group function is disabled when the value of Sgroup
is 0. This means that FSLOGIN does not attempt to synchronize
a newly specified password on other servers. When the value of
Sgroup equals 1, all the servers in the network will be
considered as one Server Group. When a user specifies a new
password for his 'home' server, FSLOGIN will attempt to
synchronize this new password on all servers which have the
same userid defined. The system administrator can restrict the
servers in a Server Group by explicitaly specifying which
servers belong to it. For example:
Sgroup=2
home_Server
second_server
third_server
The list of server names that comes directly after the
Sgroup=2 statement can contain 16 names. Wildcards in each
individual 'name' are allowed. For example:
Sgroup=2
home_server
other*
Slist=0 - 3
When this parameter is set to 0, the ServerList function is
disabled. When set to 1, the entire network is visible to the
user. The system administrator can restrict the names of
servers in the ServerList by explicitaly specifiing which
servers may be seen. For example:
Slist=2
home_Server
second_server
third_server
The list of server names that comes directly after the Slist=2
statement can contain 16 names. Wildcards in each individual
'name' are allowed. For example:
Slist=2
home_server
other_*
The user can be further restricted by not allowing the
Servername field to be edited. This feature can be turned on
when specifying 'Slist=3'. The effect is that the user can
pick from the custom list of servers after the Slist
statement, but is not able to alter the name in the Servername
field.
Ulist=0 or 2
This parameter defines the behaviour of the F7 key. In
previous versions, the F7 key pasted the 'Supervisor' user
name in the Userid field. Now it can be turned off, changed to
another user name or even to a list of user names. The
following example presents a small list with two user names
when the F7 key is pressed.
Ulist=2
Supervisor
Lanvisor
When you specify only one name in this list, most probably
Supervisor, then there is no list on the screen and the F7 key
functions the same as with previous versions of FSLOGIN. When
you want to disable the F7 key, use the value 0 after the
Ulist= parameter.
UXList=0 or 2
Certain userid's like GUEST can be excluded from beeing used
with put un the User eXclude List.
5.2: Command line parameters
The following command line parameters are specified directly
behind the command 'fslogin'. For example 'fslogin !ne'. These
command line parameters are used to override some of the
system wide options from the fslogin.ini file.
!nd
NoDimmer. The NoDimmer option might be useful when FSLOGIN
is used in combination with asynchronous dial-in servers.
!ne
NoEscape. The user of this workstation must login first now.
!ns
NoServerlist. The ServerList function for this workstation is
restricted now.
!di
Activate the dialin specific parameters in fslogin.ini.
These specific dialin parameters are diTim, diMax and diAct.
The use of !di also automatically activates !ne and !nd.
5.3: Environment variables
To make daily use even more simple, two of the three fields in
the Login Data form can be pre-filled. You might already have
noticed that the Server field contains the name of the server,
to which the PC is attached. This automatic filling in of a
servername should be sufficient in single server environments,
where there is nothing to choose. However, in a multiple
server environment the server to which the PC is attached is
not always the one users need to access. A DOS environment
variable can be used to specify a different name as the
default. Type the following command at the DOS command prompt.
SET FS_SRV=MYSERVER
When the program is started again the Server field will
contain the string 'MYSERVER'. Another feature available here
is the ServerList function. When the F5 key is pressed, the
program reads the names of available servers in the network
and presents a list on the screen. Just move the highlight and
pick a name!
The environment variable FS_PRO defines a 'default' profile
for use in a NetWare Name Service environment. For example:
SET FS_PRO=PROFILE_ONE
The Userid field can be pre-filled as well with the use of
another environment variable. Type the following command at
the DOS command prompt.
SET FS_UID=MYUSERID
Now the Userid field will also come up with a default. When
the pre-filled values for the Server and Userid are correct,
the only thing the user has to do is type the corresponding
password and press the enter key twice.
There is a special form of the FS_UID variable, that can be
useful when the userids in your organisation are highly
structured. There are companies that use not so individual
userids like ACCOUNT01, ACCOUNT02, ACCOUNT03 etc. And maybe
SALES01, SALES02 and so on. The idea behind this is that the
first part of the userid is always the same. The 'common' part
of the userid string can be pre-filled by placing it in the
environment variable FS_UID, followed by a tilde. For example:
SET FS_UID=TECHNO~
Have a look at what happens!
CHAPTER 6: PASSWORD EXPIRED!
An expired password is almost always a source of
inconvenience. Most users manage well reading the line mode
text from the Novell Login program. Some other users will
always succeed in locking up their userid and call for
supervisor assistance. FSLOGIN helps most users taking this
hurdle in a user friendly way and, most important, without
help of a system administrator. The first step FSLOGIN takes
is notifying the user that his password is going to expire
some day in the near future, and, at the same time giving the
user the possibility to change now. Here is what you get!
╔══════════════════════════════════════════════════════════════════╗
║ Password Status ║
╠══════════════════════════════════════════════════════════════════╣
║ Your current password is going to expire in 5 days. If you ║
║ wish you can specify a new password now. Retype the new ║
║ password again after the Verification prompt. This is a check ║
║ to prevent typing errors. Your new password should be at ║
║ least 4 characters long. ║
║ ║
║ New Password ..................................... ║
║ ║
║ Verification ..................................... ║
║ ║
╚══════════════════════════════════════════════════════════════════╝
When the user takes no action the actual expiration date will
come, and if the user wants to login, he will be forced to
change the password now. It is possible to escape from the
'Password Expired Status' form, but there will be no login.
This does not mean that the grace login mechanism of the
Novell security system is not used any more. At least one
grace login is needed to be able to change the current
password into a new one. So do not set the grace login count
for the users to zero! When there are no grace logins left,
there is no way a user could login. Neither with the Novell
login program, nor with any other program!
CHAPTER 7: MULTIPLE SERVER ENVIRONMENTS
FSLOGIN has support for password synchronisation
in multiple server environments. Password synchronisation is
needed for those users that are defined on more than one
server. Basically there are two methods that are used in
multiple server environments:
NetWare Name Service
NNS is a Novell product that is widely distributed among large
corporations. The basic idea is to give each user a single
login to the servers that are needed to do the job. When the
system administrator creates a new user in an NNS Domain, that
userid is created on all the servers in that domain. Depending
on the specified Profile, the user is attached to one or more
servers in the Domain.
The ATTACH login script statement
ATTACH statements are specified in either the system login
script or the user login script. When a user does a login to
his 'home' server the statements are executed and the user is
automatically attached to a second, maybe a third server in
the network. The userid must be defined on the 'other' servers
as well and the passwords must be in sync.
FSLOGIN supports both the Netware Name Service
environment and the multiple server environment where the
Attach method is used.
7.1: NetWare Name Service support
When FSLOGIN is used in a NNS environment, it can be
customized to present the user a NNS specific Login Data form.
(See also the chapter on 'How to customize'). The user can
specify a profile or leave this field to its default value.
Like all other fields that are filled in, the Profile is
validated for existence and authorization, before FSLOGIN
continues.
╔════════════════════════════════════════════════════╗
║ Please enter your Login Data ║
╠════════════════════════════════════════════════════╣
║ ║
║ Server YOUR_DOMAIN_SERVER ║
║ ║
║ Profile DEFAULT ║
║ ║
║ Userid YOUR_USERID ║
║ ║
║ Password .......................... ║
║ ║
╚════════════════════════════════════════════════════╝
When the password for a user expires (or will expire within a
number of days in the near future) the user will be prompted
to change the password. When the new password is validated
FSLOGIN synchronises the new password on all the servers in
that domain. The user is informed about the result of this
synchronisation step.
7.2: Server Groups
FSLOGIN has a new feature called Server Groups.
This feature makes it possible to take care of password
synchronisation in non-NNS environments. Two or more servers
can be defined as a logical group, and FSLOGIN will treat this
group as a domain. When a user is defined on more than one
server in this group, FSLOGIN will take care of password
synchronisation. What are the steps to be taken?
Step One
Define two or more servers as a group. This is done in the
FSLOGIN.INI file by customizing the Sgroup (Server Group)
statement. For Example:
Sgroup=2
home_server
other_server
Step Two
Define a new user on both servers and make sure the accounting
restrictions and the inital password are the same. If you want
to use an existing userid check that the accounting restrictions
and password synchronisation status. Correct them if necessary.
Step Three
Login with that userid on the home server. Because the
supervisor just defined the new account you will be prompted
for a new password. Type a new password and see the result of
the synchronisation step.
┌──────────────────────────────────────────────────────┐
│ Synchronization Status │
├──────────────────────────────────────────────────────▒
│ │JUPITER │ 0 Ok │
│ │MARS │252 No such userid │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
└──────────────────────────────────────────────────────┘
It is not necessary to define all users on all servers in the
Server Group. Only those people that need to access the
OTHER_SERVER need a corresponding userid and password.
CHAPTER 8: FSLOGIN AND DIALIN SERVERS
Most of the Local Area Networks are not only used from
workstations that are directly attached. There is a growing
need to access the data and programs on a corporate LAN from
other geographical locations. This need for communication has
led to products that turn a regular workstation in a LAN
into a dialin host that can be accessed using regular
telephone lines and modems. It's obvious that these gateways
to programs and data need to have the mechanics to prevent
unauthorised access. Many of the products that are on the
market today have security options built in.
FSLOGIN, however, adds an extra layer of access security to
the Novell servers in the network. Once a remote user has a
dialin connection to a dialin host on a LAN, that user has to
pass the proper login information before data and or programs
can be accessed.
FSLOGIN has extra security options, which have been designed
specifically for use on dialin host machines.
First of all the amount of information that a user can 'see'
in the FSLOGIN screen can be restricted to almost nothing.
The user has to know the name of the Server, his/her userid
and, off course, the corresponding password.
The Serverlist feature of FSLOGIN can be turned off for
individual workstations using the !ns command line option.
This command line option overrules the global setting in
fslogin.ini. Furthermore, the default name in the Server field
can be suppressed using the environment variable FS_SRV=NONE.
The next step in building a security wall is disabling the use
of certain userids that are not easy to delete (GUEST for
example) yet not meant for regular access by users. The User
eXclude List feature makes this possible. This list is specified
in the fslogin.ini file with the statement 'UXList'.
When the dialin user accesses the host PC, it's obvious that
FSLOGIN should not be terminated with the Escape key. This would
allow the user to access the standard Novell command SLIST and
LOGIN. Although the Escape key can be enabled or disabled globally
in fslogin.ini, it can be disabled in specific situations using
the !ne command line option.
The next step is preventing a user from trying out all kinds of
combinations of Server names, Userids and Passwords. Not that
this is likely to succeed but these tryouts can be prevented using
the following statements in FSLOGIN.INI.
diMax=0 - 9
dialinMax defines the maximum number of login attempts that a
user can make before FSLOGIN takes action. For example, when
diMax= 3, the user can make three attempts to login and when
the third attempt is invalid (invalid Servername, invalid Userid
or invalid Password) the action specified in diAct is executed
(see below).
diTim=0 - 9
dialinTime specifies the maximum time in minutes that FSLOGIN
waits for the user to login. When this time expires, FSLOGIN
assumes that the connection between the dialin host and the PC
at the other end should be terminated. See diAct below.
diAct=0 or 1
The dialinAction parameter in FSLOGIN.INI specifies the action
that should be taken when one of the two above events occur.
When diAct=1 FSLOGIN tries to close the communication ports of
the dialin host and then reboots the machine. No better way to
break the connection between you and a hacker.
When diAct=0 FSLOGIN does not reboot the dialin host but returns
to DOS with a specific error level. The error level identifies the
event that has occurred. The error levels are 2 for a diTim event
and 3 for a diMax event. It is up to the procedure (batch file)
that called FSLOGIN to handle these error levels. The batch file
could, for example, execute a LOGOFF program, that is specific
for a certain dialin software package.
Note that although the later three parameters (diMax, diTim and
diAct) are specified in fslogin.ini, they are only activated
when FSLOGIN is started with the !di command line option.
The !di command line argument also automatically activates the
!ne (NoEscape) and the !nd (NoDimmer) options. The !ns
(NoServerlist) is not automatically included.
A sample batch file that starts dialin host software and FSLOGIN
could look like this:
...
SET FS_SRV=NONE ; no default server
LSL ; Link Support Layer
NE2000 ; Hardware driver
IPXODI ; IPX protocol stack
NETX ; NetWare Shell
PCSOMEWHERE ; Wait here for dialin user!
FSLOGIN !DI !NS ; Secure login
...
The batch file continues with the next statement when the
dialin user specifies the correct login information in the
specified amount of time. Otherwise the dialin host PC can
either be rebooted or FSLOGIN returns an error level to the
batch file.
CHAPTER 9: SOME OTHER FEATURES
Dos Requester
Version 1.4 is compatible with the Dos Requester (VLM's or
Virtual Loadable Modules). Novell has updated the Dos Requester
several times since the first introduction. At the time of
this writing VLM version 1.20 is the current one.
Login Script Parameters
Full Screen Login has support for the optional parameters,
that can be passed to the system login script. There is no
separate field for this, but parameters can be typed in the
Userid field after the name of user. Leave one space between
the name of the user and the parameter. When the Userid field
seems to be full, just type ahead and see the text scroll. The
combined length of the name of the user and the optional
parameters cannot exceed 64 bytes.
Command line mode
FSLOGIN does not only work full screen, but is also command
line compatible with the Novell login command. The fslogin.com
program does in fact pass the command line that is typed to
the login.exe program. The advantage of using FSLOGIN is that
the sys:login directory will be searched for and set to the
first network drive letter. No more manual searching for drive
'x'.
Monochrome VGA
FSLOGIN works with monochrome VGA monitors without manually
setting a specific video mode with the mode command.
Your Company Name
Since version 1.1. a RRS (Registration Reminder Screen) has
been added. This is the small window below the Login Data
window, that contains the text 'Unregistered 30 days
Evaluation Copy'. When you register you should specify a text
string that you want to appear in this window. This text
string should contain company information like the name of the
company and perhaps the name of the department which does the
registration. See the document REGISTER.xx for further
instructions.
APPENDIX A: SOME QUESTIONS AND ANSWERS
Question 1
When I want to use your program, do I have to throw away my
existing login scripts?
No you don't. Full Screen Login does not replace the Novell
login.exe and corresponding login scripts. It adds full screen
support and extensive error and exception reporting, without
throwing away your already made effort.
Question 2
Why is the fslogin.com the only program to copy to the
sys:public directory?
In order to conserve a bit of disk space, and make eventual
updates as easy as possible to install, there is only one
place for the overlay and other support files, and that is the
sys:login directory. The file fslogin.com is the only one to
copy to the public directory.
Question 3
I have just installed your product, but I receive the message:
'The FSLOGIN.OVL program could not be executed.'.
The most probable cause is, that you run the program
fslogin.com from a local hard disk, but the server you are
attached to does not have Full Screen Login installed. Use the
NETX option 'PS=MYSERVER' to make the correct server the
default, or better, install Full Screen Login on the other
servers as well (see also sitelice.doc).
Question 4
I installed Full Screen Login, but whenever I want to use it I
receive the message: 'The LOGIN.EXE program cannot be
executed.'.
Did you rename the original Novell login.exe? If yes, rename
it back or make a copy of it.
Question 5
I work for a large company with 257 file servers in a network.
When I use the ServerList function, there are only 255 file
servers in the list.
The current limitation of the ServerList function is 255
names. If this really is a problem, please contact Confirm.
Question 6
Your program does not support grace logins. What should I do
with the currently defined grace logins?
Don't throw away the grace option for your users! When you
disable grace logins, there will be no way the user can change
the password, neither with the FSLOGIN program, nor with any
other login program. In fact Full Screen Login needs some
grace logins to remain, in order to be able to change the
password. It's also worth mentioning, that when a user presses
the escape key in the Password Expired Status form, the number
of Grace Logins Left will be decremented by one. In fact Full
Screen Login did do a login function call once to find out
that the password had expired.
Question 7
During the installation, stage one, I have to add a trustee
assignment to the sys:login directory for the group EVERYONE.
Why is this for NetWare 2.xx only?
Because NetWare 3.11 already gives EVERYONE access to the
sys:login directory, even after login. NetWare 2.xx did 'hide'
the sys:login directory after login.
APPENDIX B: ERRORLEVELS AND ERROR MESSAGES
EL Meaning ...
------------------------------------------
0 Login ok
1 The user pressed the escape key
2 The diTim event has occurred.
3 The diMax event has occurred.
4,5 Reserved
6 Login has executed, but a failure occurred.
The returncode is: .. (hex)
7 Reserved
8 FSLOGIN.OVL or LOGIN.EXE could not be
executed. Dos extended errorcode: .. (hex)
9 Shell/Requester/Network not available.
APPENDIX C: ERRORCODES FROM THE NETWORK
147 No read privileges
The program tried to read information from the bindery, but
the operating system did not allow this. Normally this error
should not occur and might indicate problems with the bindery.
150 Server out of memory
This situation means real trouble. For some reason memory
cannot be allocated for certain tasks. Shutdown any NLM that
is not strictly needed and try to clean up as many connections
as possible. There might be only one way to deal with this
problem and that is RAM.
193 No account balance
This userid, also called account, has no initial account
balance to work with. The supervisor should assign an account
balance with syscon. This only occurs on servers with an
activated (Novell) accounting system.
194 Credit exceeded
The user has no more credits to continue working. The
supervisor should assign enough credit to the user. This only
occurs on servers with an activated (Novell) accounting
system.
197 Intruder lockout
There has been a number of attempts to login with this userid
in combination with incorrect password. The user either has to
wait for the intruder lockout time to expire, or the intruder
lockout can be cleared by the supervisor. This error can only
occur when the intruder lockout mechanism on the server is
activated with syscon.
215 Password not unique
The newly typed password has been used before. NetWare can
keep a record of a number of used passwords on a per user
basis. This option can be switched on or off with syscon for
individual users.
216 Password too short
The newly typed password is too short. NetWare requires
passwords to have a minimum length. This minimum length can be
set on a per user basis with syscon.
217 Maximum connections in use
The user tried to login from more than one workstation at the
same time, while a limit has been defined for this user.
Either the limit could be increased for this user or the user
should logout from other workstations first.
218 Not authorized at this time
There is a time restriction for this user, which prevents
login at this moment. Time restrictions are set system wide or
on a per user basis by the supervisor.
219 Not authorized at this station
There is a station restriction for this account. For security
reasons certain accounts can be restricted to be able to login
from certain workstations only.
220 Account disabled
The account (userid) exists but cannot be used, because it has
been disabled by the supervisor.
222 Password disabled
The current password for the user has expired, and there are
no more grace logins available. The supervisor must assign
another password to this user to be able to continue. It is
advisable to give users a number of grace logins, so that they
will be able to change their password themselves.
223 Password expired
The password expiration date has been reached or even passed,
but there are grace logins available. FSLOGIN warns the user
and presents a Password Status window. The user must change
his password now.
232 Write property to group
This error indicates a problem with the bindery. Re-try the
operation and when the problem persists, run the bindfix
utility.
236 No such segment
The bindery was queried for some information, but the expected
piece of information was not there. This error could also mean
some problems with the structure of the bindery.
239 Invalid name
The bindery was queried for some information, but NetWare
responded that the name used was not valid. This error could
indicate a bindery problem or a programming error in FSLOGIN.
240 Wildcard not allowed
A wildcard was used when the bindery was updated. Some
information to be placed in the bindery cannot contain
wildcards like '*' and '?'
241 Invalid bindery security
The current user has no rights to read from or write to the
bindery. This problem could indicate a problem in the bindery
structure.
248 No property write privilege
The current user has no rights to write to the bindery.
Normally this should not occur, because the only update the
user does, is changing his own password.
249 No free connection slots
The NetWare shell has run out of connections slots. There are
eight connections possible with eight different servers.
Logout from a server that is no longer needed.
250 No more server slots
The server has reached its limit for the number of
connections. This number is determined by the license that is
running on the server (5 .. 250 users). The supervisor can try
to clear some unused connections with Fconsole (NetWare 2.xx)
or Monitor (NetWare 3.x).
251 No such property
The program tried to read a property from the bindery and the
property is not there. Again this could be a reason to run
bindfix.
252 No such object
The program tried to read an object from the bindery and the
object is not there.
254 Server bindery locked
Bindery read or write actions are not possible, because the
bindery is not available. This can be the result of a program
that has closed the bindery. Programs that close the bindery
are for example bindfix and most backup restore programs. The
bindery should be re- opened again when these programs have
done their job. If this is not the case the server has to be
brought down and started up again.
255 No response from server
This errorcode can represent several errors, by which the
server is not responding properly to workstation requests.
APPENDIX D: CURRENT LIMITATIONS
NetWare 4.02
The current version of FSLOGIN does not support NetWare
Directory Services. Accessing a NetWare 4.02 server can be
done when bindery emulation mode has been installed. There is,
however, one additional installation step that has to be done.
The NetWare 4.02 should be provided with a NetWare 3.11 or
3.12 login.exe program.
Rename the NetWare 4.02 login.exe to something like log402.exe
and copy a NetWare 3.11 or 3.12 login.exe to the sys:login
directory using the original name 'login.exe'. The 3.11
login.exe is smaller and faster than the log402.exe and can be
used for bindery emulation mode access. FSLOGIN works in
combination with the 3.11 login.exe installed on the 4.02
server.
APPENDIX E: REGISTRATION AND SUPPORT
Feel free to use Full Screen Login for a trial period of 30
days. After this period you are expected to register or stop
using it. The registration fee is based on a single file
server license. When used on more servers, each server should
have its own license or better, a site license should be
obtained. See the document SITELICE.DOC.
Registered users receive a printed manual together with the
latest release of FSLOGIN, which is 'personalised' with the
name of their company or otherwise custom specified text.
Registered users will receive one free update when a new
version becomes available.
Registered users are offered free support for a period of six
months. Please use either CompuServe mail, Telefax, Fidonet or
phone in this preferred order. It is the author's goal to
answer all questions within a reasonable amount of time.
CompuServe : 100334,572
Fidonet : 2:512/250.359
Telefax : (+31) 8360 - 41580
Phone : (+31) 8360 - 24988
Due to international regulations our phone and faxnumber will
change in 1995. From October 10, 1995 the numbers will be:
Phone: +31 - 316 - 524988
Fax : +31 - 316 - 341580
Registration differs for the Netherlands, the United States
and other countries. When neither the Netherlands nor the US
apply to you, you are expected to follow the US procedure, or
contact Confirm for another arrangement. See also the
REGISTER.xx forms on the distribution diskette or the archive
file.
APPENDIX F: THE SHAREWARE CONCEPT
Shareware distribution gives users a chance to try software
before buying it. If you try a Shareware program and continue
using it, you are expected to register. Individual programs
differ on details. Some request registration while others
require it, some specify a maximum trial period. With
registration, you get anything from the simple right to
continue using the software to an updated program.
Copyright laws apply to both Shareware and commercial
software, and the copyright holder retains all rights, with a
few specific exceptions as stated below. Shareware authors are
accomplished programmers, just like commercial authors, and
the programs are of comparable quality. (In both cases, there
are good programs and bad ones!)
The main difference is in the method of distribution. The
author specifically grants the right to copy and distribute
the software, either to all or to a specific group. For
example, some authors require written permission before a
commercial disk vendor may copy their software.
Shareware is a distribution method, not a type of software.
You should find software that suits your needs, whether it's
commercial or Shareware. The Shareware system makes fitting
your needs easier, because you can try before you buy. And
because the overhead is low, prices are also low. Shareware
has the ultimate money-back guarantee -- if you don't use the
product, you don't pay for it.
The Ombudsman
This program is produced by a member of the Association of
Shareware Professionals (ASP). ASP wants to make sure that the
shareware principle works for you. If you are unable to
resolve a shareware-related problem with an ASP member by
contacting the member directly, ASP may be able to help. The
ASP Ombudsman can help you resolve a dispute or problem with
an ASP member, but does not provide technical support for
members' products. Please write to the ASP Ombudsman at 545
Grover Road, Muskegon, MI 49442-9427 USA, FAX 616-788-2765 or
send a CompuServe message via CompuServe Mail to ASP Ombudsman
70007,3536.
APPENDIX G: DISCLAIMER - AGREEMENT
Users of FSLOGIN must accept this disclaimer of warranty:
"FSLOGIN is supplied as is. The author or Confirm disclaims
all warranties, expressed or implied, including, without
limitation, the warranties of merchantability and of fitness
for any purpose. The author assumes no liability for damages,
direct or consequential, which may result from the use of
FSLOGIN."
FSLOGIN is a "shareware program" and is provided at no charge
to the user for evaluation. Feel free to share it with your
friends, but please do not give it away altered or as part of
another system. The essence of "user-supported" software is
to provide personal computer users with quality software
without high prices, and yet to provide incentive for
programmers to continue to develop new products. If you find
this program useful and find that you are using FSLOGIN and
continue to use FSLOGIN after a trial period of 30 days, you
must make a registration payment to Confirm. The registration
fee will license one copy for use on any one Novell NetWare
server at any one time. You must treat this software just like
a book. An example is that this software may be used by any
number of people and may be freely moved from one server
location to another, so long as there is no possibility of it
being used at one location while it's being used at another.
Just as a book cannot be read by two different persons at the
same time.
Users of FSLOGIN must register and pay for their copies of
FSLOGIN within 30 days of first use or their license will be
withdrawn.
Anyone distributing FSLOGIN for any kind of remuneration must
first contact Confirm at the address below for authorization.
This authorization will be automatically granted to
distributors recognized by the (ASP) as adhering to its
guidelines for shareware distributors, and such distributors
may begin offering FSLOGIN immediately (However Confirm must
still be advised so that the distributor can be kept
up-to-date with the latest version of FSLOGIN).
You are encouraged to pass a copy of FSLOGIN along to your
friends for evaluation. Please encourage them to register
their copy if they find that they can use it.
Confirm
Ardechelaan 35
6904 NG ZEVENAAR
The Netherlands
CompuServe : 100334,572
Fidonet : 2:512/250.359
Telefax : (+31) 8360 - 41580
Phone : (+31) 8360 - 24988
Due to international regulations our phone and faxnumber will
change in 1995. From October 10, 1995 the numbers will be:
Phone: +31 - 316 - 524988
Fax : +31 - 316 - 341580
(c) Confirm 1993, All Rights Reserved. October 1994
--------------------------------------------------------------
