Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to replace /bin/login with a different login program. In case the new login fails to work and will not let anybody logon, how can I get access to the system and change the /bin/login back to the original one?
I guess there are several options. One that I can think of might be to run sshd and open firewall for incoming ssh request. In case new "/bin/login" will not work, I can ssh into the system as a normal user from network and su as root and change original login back. But if key-based authentication is not set up (no key pairs are generated and placed in right places), will sshd fallback and call "/bin/login" for authentication by using "username" and "password"? Any thoughts and solutions?
I'm assuming you're using LILO for booting your system. (If there's someone out there who knows the corresponding instructions for booting with grub, please chime in.)
When you first boot, LILO will let you type an initialization string. This is the name of the OS image you wish to boot (many people just use "Linux" for this), followed by a space, followed by the initialization parameter, followed by the <Enter> key.
LILO also lets you list the choice(s) you have for operating system image name.
Let's say the name of the OS image you wish to boot is Linux. So enter this initialization string:
Code:
Linux init=/bin/bash
When you get a bash prompt, you'll be root. Enter these commands:
Don't log out in one terminal while you test whether you can login on another one.
In fact, I tried this but the new login just dump some error message and then quit. I didn't remember exactly the message. But I even tried the /bin/login when I was alread in the system, it simply said cannot authenticate (on one machine) or dump some message regarding tty permission (on another machine). I need to test again to show the exact message here. But you know basically it won't work somehow when you try to logon (either w/ a different account or w/ the same account) when you alread logged in.
log in on a different terminal, press ctrl-alt-Fn for a new terminal
Thanks!
I think at least I can do the following test to see if "ssh" can still work with the new /bin/login:
- login as a normal user;
- run "sshd" and open firewall for "ssh";
- "ssh" in from network and ensure it works;
- change /bin/login with the new program file as root;
- without log out, "ssh" from network again and see if it works;
- if "ssh" still works, it's safe to restart system and test new "/bin/login"; if it does not let me in, "ssh" from network and change "/bin/login" back to the original (BUT of coz need to figure out why the new program won't work and make it work in the end since that's the goal )
if "ssh" does not work, it shows "sshd" falls back to "login" for authentication w/ username and passwd. Try the method that wjevans_7d1 suggessted and other methods ...
I don't think that you understood my suggestion. It was to not log out of one terminal and try to log in on another for the testing. If the test fails, restore the original /bin/login on the original terminal.
I don't see why you want to create your own login program. The login process is integrated with PAM and the shadow suite and can be controlled by editing /etc/security/access.conf.
I don't see why you want to create your own login program. The login process is integrated with PAM and the shadow suite and can be controlled by editing /etc/security/access.conf.
This is test to see if a kerberized login will work. I just installed a mit kerberos 5 and replaced the /bin/login with such a login program w/ the source package of krb5. It works just fine! Though I didn't check to see if sshd will fall back to use /bin/login for verifying username and password (which I doubt), it is safe to use RSA authentication in any case if a local login fails.
I'm not very aware of how login process really works, especially how it coperates with PAM, could you please give me some more tutorial on this or indicate some resource or reference? For example, if I want to make KDE login support kerberos as well, I think PAM is the only convenient way to do that (again, I don't know if the authentication part for KDE GUI-based login is really a pluggable program-asking for 'username' and 'password' in login window-or not, but it seems to me it does not rely on /bin/login at all).
Words convey knowledges. Thanks a lot! Thank wjevans_7d1 too.
You might want to read "man 5 pam_krb5" and "man 8 pam_krb5". ( Assuming you have added PAM support ).
They may help you configure PAM to use kerberos5. A number of programs may be built with PAM support but not krb5 support. Configuring PAM could save you a lot of work compared to identifying which programs need to be rebuilt with Kerberos support as well.
Redhat or Fedora Core may actually build their packages with libkrb5 support built in and may even offer Kerberos as an authentication source in it's configuration programs. Alternatively, they may install and configure pam_krb5 instead, but in either case, this may handle most of the work for you (including either replacing or configuring the login program).
Using "lsof | grep -i pam" will give you an idea of running programs that use libpam. Also, "ldd /sbin/* /usr/sbin/* /opt/kde3/sbin/* /opt/gnome/sbin/*" will list libraries a program loads. You can search for pam and krb. I took a look on my laptop. Kde & gnome binaries tend to be built with PAM support. Amorak was built with built in support for both.
However, if by Red Hat 9.0 you don't mean the server product and mean the pre-Fedora version, I can hardly remember back that far. Some things that are standard options now may need to be manually installed and configured.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.