With Digital UNIX enhanced security, build with -DDECOSF1_ENHANCED and link with SYSLIBS=-lsecurity (see Makefile).
The enhanced login command reports every login failure that is not followed by a successful login (the threshold for reporting a failure is 1 for known account names, 2 for other names). Unfortunately, only the SunOS5 variant of the program supports shadow passwords and password aging. See below for a list of enhancements.
THIS PROGRAM CAN INTRODUCE SECURITY HOLES WITH SOME SYSTEM V VERSIONS in particular the versions with port monitors (getty, ttymon) that convert their standard input to an argument vector for /bin/login. It seems to be OK for SunOS 5.0 and later.
This login comand can interface to new-style rlogin daemons that do all the authentication by themselves (the login '-f' option). Support for the '-r' option has been added so that it can also interface to older rlogin daemons.
*.err;kern.debug;auth.notice;user.none /dev/console *.err;kern.debug;daemon,auth.info;mail.crit;user.none /var/adm/messages auth.debug ifdef(`LOGHOST', /var/log/syslog, @loghost)Beware that syslogd usually insists on tabs between fields in the syslog.conf file.
(2) The program supports device security described in the SunOS 4.x fbtab(5) and SunOS 5.x logindevperm(4) manual pages. The format of that file is:
/dev/console 0600 /dev/kbd:/dev/mouse:/dev/fb /dev/console 0600 /dev/sound/*:/dev/fbs/*The code first looks for /etc/fbtab (compatibility with pre SunOS 5.3 logdaemon versions), then for /etc/logindevperm.
(3) The program can selectively allow (or disallow) users (or groups) to login in from specific hosts (or domains) or terminals. Access is controlled by a file /etc/login.access. The login.access file in this directory describes details.
(4) Premature hangups are reported as login failure, too. That's an old cracker trick.
(5) All logins are reported to the syslogd, so that I no longer have to examine 160 /var/adm/wtmp files. Regular logins are logged at severity auth.info.
(6) If compiled with -DSKEY, implement additional support for one-time s/key passwords. This feature is completely transparent for the user who does not use s/key. See ../skey/README for details.
(7) When given the -l option, the rlogin authentication code ignores user .rhosts files (IRIX 5.3: -R).
(8) By default, the rlogin auth code will not accept '+' wildcards (it will complain instead). The -l option is passed on by the rlogind program in ../rlogind.
Unimplemented SYSV features:
Login failures are not logged to a local file. Instead, they are reported to the syslogd so that you can keep a better eye on all your systems.
No dial-up passwords; when you are reachable across the Internet(millions of systems) you have bigger worries than modem breakins.
The -d option is permitted but always ignored.
Users whose password has expired will be asked to change their password, even when they are not permitted to change it.