Second (Dialup) Passwords

Second (Dialup) Passwords

If your system requires additional protection, you can establish a system password. If you do this, users who log in on specific ports (ttys) are prompted for a system password in addition to their account passwords. This feature cannot be imposed on the system console, or any terminal where clogin or xdm is used.

System passwords are normally used only on dialup lines and are often referred to as dialup passwords. You can use them on standard lines, but this is usually not necessary.

To establish a system password, follow these steps:

Log in as root.
Edit the file /etc/dialups.

Place in the file a list of ports (ttys) that require the second password. For example:
/dev/ttyd1
/dev/ttyd2
/dev/ttyd3
All possible names for ports should be listed including links. Write the file and exit from the editor.
Decide on the desired password or passwords. System passwords are assigned on a shell-by-shell basis. You can assign the same password for all the possible shells on the system, assign different passwords for each shell, or use some combination of approaches.
Encrypt the desired password. You must use the passwd program to perform the encryption. You cannot use the crypt(1) command for this purpose.
To encrypt the password, simply change the password of some account (for example the bin account) to the password you wish to use in /etc/d_passwd. Before you do this, note what the existing password is (or if the account is locked). Return the account to this state when you are finished assigning a system password. (To save an account's existing password, copy the password field of the account--the second field in /etc/passwd--and replace it when you are finished with this procedure.)

For example, to change the password of the bin account to ''2themoon'' you enter:

passwd bin
You see:

New password:
Now enter the string "2themoon" and then press <Enter>. The string "2themoon" is not displayed as you type it. Next you see:

Re-enter password:
Enter the string "2themoon" again and then press <Enter>. The string is still not displayed as you type it.

Examine the entry for the bin account in the file /etc/passwd. You should see something like this:

bin:SaXub4uaL5NP:2:2:System Tools Owner:/bin
The second field (between the first and second colons) is the encrypted version of the password "2themoon." (What you see may be different, even with the same password, depending on the "seed" the system uses to encrypt the password.)
Edit the file /etc/d_passwd. In the file, place lines in the format:
shell:password:

shell is the command interpreter (shell) you wish to have a password, and password is the encrypted password. Make sure that all "shells" used in /etc/passwd (the seventh and final field) are listed in this file, including those for UUCP, PPP, SLIP, and so on.

For example, this command assigns the password "2themoon," which you encrypted in the previous step, to all C shell users who log in on the ttys specified in /etc/dialups:

/bin/csh:SaXub4uaL5NP2:
You must place a colon at the end of the encrypted password, and you must enter the shell program pathname exactly as it appears in /etc/passwd.

Write the file and exit from the editor.
Make sure the files have appropriate permissions by issuing the command:
chmod 640 /etc/d_passwd /etc/dialups
Remove the password you assigned to the system account in step 4. To do this, edit the file /etc/passwd and remove the string of characters in the second field. Return this field to the same state as when you began this procedure.

Now, whenever C shell users log in on the ttys specified in /etc/dialups, they are prompted for the system password "2themoon" in addition to their account password.

Note that you must make similar entries for any other login shells used on your system such as /bin/ksh, /usr/local/bin/bash, and /usr/bin/tcsh.