I want to replace /bin/login with a different login program. In case the new login fails to work and will not let anybody logon, how can I get access to the system and change the /bin/login back to the original one?

I guess there are several options. One that I can think of might be to run sshd and open firewall for incoming ssh request. In case new "/bin/login" will not work, I can ssh into the system as a normal user from network and su as root and change original login back. But if key-based authentication is not set up (no key pairs are generated and placed in right places), will sshd fallback and call "/bin/login" for authentication by using "username" and "password"? Any thoughts and solutions?

Thanks a lot!

Don't log out in one terminal while you test whether you can login on another one.

You need to get in there and can't log in?

I'm assuming you're using LILO for booting your system. (If there's someone out there who knows the corresponding instructions for booting with grub, please chime in.)

When you first boot, LILO will let you type an initialization string. This is the name of the OS image you wish to boot (many people just use "Linux" for this), followed by a space, followed by the initialization parameter, followed by the <Enter> key.

LILO also lets you list the choice(s) you have for operating system image name.

Let's say the name of the OS image you wish to boot is Linux. So enter this initialization string:

When you get a bash prompt, you'll be root. Enter these commands:

Then knock yourself out.

Hope this helps.

In fact, I tried this but the new login just dump some error message and then quit. I didn't remember exactly the message. But I even tried the /bin/login when I was alread in the system, it simply said cannot authenticate (on one machine) or dump some message regarding tty permission (on another machine). I need to test again to show the exact message here. But you know basically it won't work somehow when you try to logon (either w/ a different account or w/ the same account) when you alread logged in.

log in on a different terminal, press ctrl-alt-Fn for a new terminal

Thanks a lot! Here's couple more questions about your methods.

Just like pretend that /bain/login just crashed and won't let anybody pass authentication ...

So, you mean there is no asking for "username" and "password" and the sytem directly inits itself with "root" account.

what do they mean?

Thanks!

Thanks!

I think at least I can do the following test to see if "ssh" can still work with the new /bin/login:

- login as a normal user;
- run "sshd" and open firewall for "ssh";
- "ssh" in from network and ensure it works;
- change /bin/login with the new program file as root;
- without log out, "ssh" from network again and see if it works;
- if "ssh" still works, it's safe to restart system and test new "/bin/login"; if it does not let me in, "ssh" from network and change "/bin/login" back to the original (BUT of coz need to figure out why the new program won't work and make it work in the end since that's the goal )

if "ssh" does not work, it shows "sshd" falls back to "login" for authentication w/ username and passwd. Try the method that wjevans_7d1 suggessted and other methods ...

I don't think that you understood my suggestion. It was to not log out of one terminal and try to log in on another for the testing. If the test fails, restore the original /bin/login on the original terminal.


I don't see why you want to create your own login program. The login process is integrated with PAM and the shadow suite and can be controlled by editing /etc/security/access.conf.

Yes. As with jschiwal's suggestion, this is meant as a way to get your original login back.

And as for what the mount commands mean, do this at the command prompt:

Hope this helps.

This is test to see if a kerberized login will work. I just installed a mit kerberos 5 and replaced the /bin/login with such a login program w/ the source package of krb5. It works just fine! Though I didn't check to see if sshd will fall back to use /bin/login for verifying username and password (which I doubt), it is safe to use RSA authentication in any case if a local login fails.

I'm not very aware of how login process really works, especially how it coperates with PAM, could you please give me some more tutorial on this or indicate some resource or reference? For example, if I want to make KDE login support kerberos as well, I think PAM is the only convenient way to do that (again, I don't know if the authentication part for KDE GUI-based login is really a pluggable program-asking for 'username' and 'password' in login window-or not, but it seems to me it does not rely on /bin/login at all).

Words convey knowledges. Thanks a lot! Thank wjevans_7d1 too.

You might want to read "man 5 pam_krb5" and "man 8 pam_krb5". ( Assuming you have added PAM support ).

They may help you configure PAM to use kerberos5. A number of programs may be built with PAM support but not krb5 support. Configuring PAM could save you a lot of work compared to identifying which programs need to be rebuilt with Kerberos support as well.

Redhat or Fedora Core may actually build their packages with libkrb5 support built in and may even offer Kerberos as an authentication source in it's configuration programs. Alternatively, they may install and configure pam_krb5 instead, but in either case, this may handle most of the work for you (including either replacing or configuring the login program).

Using "lsof | grep -i pam" will give you an idea of running programs that use libpam. Also, "ldd /sbin/* /usr/sbin/* /opt/kde3/sbin/* /opt/gnome/sbin/*" will list libraries a program loads. You can search for pam and krb. I took a look on my laptop. Kde & gnome binaries tend to be built with PAM support. Amorak was built with built in support for both.
However, if by Red Hat 9.0 you don't mean the server product and mean the pre-Fedora version, I can hardly remember back that far. Some things that are standard options now may need to be manually installed and configured.