bionic (8) axspawn.8.gz

Provided by: ax25-tools_0.0.10-rc4-3_amd64 bug

NAME
       axspawn - Allow automatic login to a Linux system.


SYNOPSIS
       axspawn [--pwprompt PR0MPT, -p PR0MPT] [--changeuser, -c] [--rootlogin, -r] [--only-md5] [--wait, -w]


DESCRIPTION
       Axspawn  will  check  if the peer is an AX.25 connect, the callsign a valid Amateur Radio callsign, strip
       the SSID, check if UID/GID are valid, allow a password-less login if the password-entry in /etc/passwd is
       “+” or empty; in every other case login will prompt for a password.

       Axspawn  can  create  user accounts automatically. You may specify the user shell, first and maximum user
       id, group ID in the config file and (unlike WAMPES) create a file “/etc/ax25/ax25.profile” which will  be
       copied to ~/.profile.


SECURITY
       Auto  accounting  is  a  security  problem  by definition. Unlike WAMPES, which creates an empty password
       field, Axspawn adds an “impossible” ('+') password to  /etc/passwd.  Login  gets  called  with  the  “-f”
       option,  thus  new  users  have the chance to login without a password. (I guess this won't work with the
       shadow password system).

       Of course axspawn does callsign checking: Only letters and numbers are  allowed,  the  callsign  must  be
       longer  than 4 characters and shorter than 6 characters (without SSID). There must be at least one digit,
       and max. two digits within the call. The SSID must be within the range of 0 and 15. Please drop me a note
       if  you  know  a  valid  Amateur  Radio  callsign that does not fit this pattern _and_ can be represented
       correctly in AX.25.

       axspawn also has the well known  authentication  mechanisms  of  the  AX.25  bbs  baycom  (sys)  and  md5
       standards.   axspawn  searches  in /etc/ax25/bcpasswd (first) and ~user/.bcpasswd (second) for a match of
       the required authentication mechanism and password.  md5 and baycom passwords may differ.  md5  passwords
       gain over baycom passwords.

       Note:  you could "lock" special "friends" out by specifying an empty password in /etc/ax25/bcpasswd (line
       "n0call:md5:"). -> md5 Passwords are enforced. But the length is shorter than the minimum (len 8 for md5,
       len  20  for  baycom);  user's  password  file  is not searched because in /etc/ax25/bcpasswd its already
       found..

       Syntax and caveeats for /etc/ax25/bcpasswd:
         - Has to be a regular file (no symlink). Not world-readable/writable.
         - Example lines:
           # Thomas
           dl9sau:md5:abcdefgh
           # Test
           te1st:sys:12345678901234567890
           # root
           root:md5:ziz7AoxuAt6jeuthTheexet0uDa9iefuAeph3eelAetahmi0
           # misconfiguration:
           thisbadlineisignored
           # With this line
           systempasswordonly
           # .. axspan will not look in user's homedir for his .bcpasswd

       Syntax and caveeats for user's .bcpasswd in his $HOME:
         - Has to be a regular file (no symlink). Neither group- nor world-
             read-/writable. Has to be owned by the user or uid 0 (root).
         - Example lines:
           # could be shorter
           md5:abcdefgh
           # should be longer
           sys:12345678901234567890


OPTIONS
       -p DB0FHN or --pwprompt DB0FHN
            While baycom or md5 password authentication (see above), the password prompt is  set  to  the  first
            argument  (DB0FHN  in  this example). This may be needed for some packet-radio terminal programs for
            detecting the password prompt properly.

       -c, --changeuser
            Allow connecting ax25 users to change their username for login. They'll  be  asked  for  their  real
            login name.

       -e, --embedded
            Special  treatment  for  axspawn on non-standard conform embedded devices.  I.e. openwrt has no true
            /bin/login: if you use it as a real login program, it raises a security hole.

       -r, --rootlogin
            Permit login as user root. Cave: only md5 or baycom style is allowed; no plaintext password.

       --only-md5
            Insist in md5 authentication during login. If no password for the user is found, or it is  not  md5,
            then  no  other  login  mechanism  is granted.  This option, in combination with -c and -r, may be a
            useful configuration for systems where no ax25 user accounts are available, but you as  sysop  would
            like to have a login access for your administrative tasks.

       -w, --wait
            Eats  the  first line the user sends. This feature is useful if you have TCP VC connects to the same
            Call+SSID. It is now obsolete, because ax25d is  the  right  place  for  this  and  implements  this
            functionality better.

       Theses  are  options  and  not  part of the preferences because you _may_ like to have on every interface
       definition in ax25d.conf (where axspawn is started from) a different behaviour.


FILES
       /etc/passwd
       /etc/ax25/ax25.profile
       /etc/ax25/axspawn.conf
       /etc/ax25/bcpasswd
       ~/.bcpasswd


SEE ALSO
       axspawn.conf(5), ax25d(8).


AUTHOR
       Joerg Reuter DL1BKE <jreuter@poboxes.com>