Provided by: ax25-tools_0.0.10-rc5+git20230513+d3e6d4f-2_amd64 bug

NAME

       axspawn - Allow automatic login to a Linux system.

SYNOPSIS

       axspawn  [--pwprompt  PR0MPT, -p PR0MPT] [--changeuser, -c] [--rootlogin, -r] [--only-md5]
       [--wait, -w]

DESCRIPTION

       Axspawn will check if the peer is an AX.25 connect, the callsign  a  valid  Amateur  Radio
       callsign,  strip  the SSID, check if UID/GID are valid, allow a password-less login if the
       password-entry in /etc/passwd is “+” or empty; in every other case login will prompt for a
       password.

       Axspawn  can create user accounts automatically. You may specify the user shell, first and
       maximum user id,  group  ID  in  the  config  file  and  (unlike  WAMPES)  create  a  file
       “/etc/ax25/ax25.profile” which will be copied to ~/.profile.

SECURITY

       Auto accounting is a security problem by definition. Unlike WAMPES, which creates an empty
       password field, Axspawn adds an “impossible” ('+') password  to  /etc/passwd.  Login  gets
       called  with  the “-f” option, thus new users have the chance to login without a password.
       (I guess this won't work with the shadow password system).

       Of course axspawn does callsign checking:  Only  letters  and  numbers  are  allowed,  the
       callsign  must  be  longer than 4 characters and shorter than 6 characters (without SSID).
       There must be at least one digit, and max. two digits within the call. The  SSID  must  be
       within  the  range  of  0  and 15. Please drop me a note if you know a valid Amateur Radio
       callsign that does not fit this pattern _and_ can be represented correctly in AX.25.

       axspawn also has the well known authentication mechanisms of the AX.25  bbs  baycom  (sys)
       and  md5  standards.   axspawn  searches in /etc/ax25/bcpasswd (first) and ~user/.bcpasswd
       (second) for a match of the required  authentication  mechanism  and  password.   md5  and
       baycom passwords may differ. md5 passwords gain over baycom passwords.

       Note:  you  could  "lock"  special  "friends"  out  by  specifying  an  empty  password in
       /etc/ax25/bcpasswd (line "n0call:md5:"). -> md5 Passwords are enforced. But the length  is
       shorter  than  the minimum (len 8 for md5, len 20 for baycom); user's password file is not
       searched because in /etc/ax25/bcpasswd its already found..

       Syntax and caveeats for /etc/ax25/bcpasswd:
         - Has to be a regular file (no symlink). Not world-readable/writable.
         - Example lines:
           # Thomas
           dl9sau:md5:abcdefgh
           # Test
           te1st:sys:12345678901234567890
           # root
           root:md5:ziz7AoxuAt6jeuthTheexet0uDa9iefuAeph3eelAetahmi0
           # misconfiguration:
           thisbadlineisignored
           # With this line
           systempasswordonly
           # .. axspan will not look in user's homedir for his .bcpasswd

       Syntax and caveeats for user's .bcpasswd in his $HOME:
         - Has to be a regular file (no symlink). Neither group- nor world-
             read-/writable. Has to be owned by the user or uid 0 (root).
         - Example lines:
           # could be shorter
           md5:abcdefgh
           # should be longer
           sys:12345678901234567890

OPTIONS

       -p DB0FHN or --pwprompt DB0FHN
            While baycom or md5 password authentication (see above), the password prompt  is  set
            to  the  first argument (DB0FHN in this example). This may be needed for some packet-
            radio terminal programs for detecting the password prompt properly.

       -c, --changeuser
            Allow connecting ax25 users to change their username for login. They'll be asked  for
            their real login name.

       -e, --embedded
            Special treatment for axspawn on non-standard conform embedded devices.  I.e. openwrt
            has no true /bin/login: if you use it as a real login program, it raises  a  security
            hole.

       -r, --rootlogin
            Permit  login  as  user root. Cave: only md5 or baycom style is allowed; no plaintext
            password.

       --only-md5
            Insist in md5 authentication during login. If no password for the user is  found,  or
            it is not md5, then no other login mechanism is granted.  This option, in combination
            with -c and -r, may be a useful configuration for systems where no ax25 user accounts
            are  available,  but  you  as  sysop  would  like  to  have  a  login access for your
            administrative tasks.

       -w, --wait
            Eats the first line the user sends. This  feature  is  useful  if  you  have  TCP  VC
            connects  to the same Call+SSID. It is now obsolete, because ax25d is the right place
            for this and implements this functionality better.

       Theses are options and not part of the preferences because you _may_ like to have on every
       interface definition in ax25d.conf (where axspawn is started from) a different behaviour.

FILES

       /etc/passwd
       /etc/ax25/ax25.profile
       /etc/ax25/axspawn.conf
       /etc/ax25/bcpasswd
       ~/.bcpasswd

SEE ALSO

       axspawn.conf(5), ax25d(8).

AUTHOR

       Joerg Reuter DL1BKE <jreuter@poboxes.com>