Provided by: ax25-tools_0.0.10-rc5+git20230513+d3e6d4f-1build2_amd64 bug

NAME
       axspawn - Allow automatic login to a Linux system.


SYNOPSIS
       axspawn [--pwprompt PR0MPT, -p PR0MPT] [--changeuser, -c] [--rootlogin, -r] [--only-md5] [--wait, -w]


DESCRIPTION
       Axspawn  will  check  if the peer is an AX.25 connect, the callsign a valid Amateur Radio callsign, strip
       the SSID, check if UID/GID are valid, allow a password-less login if the password-entry in /etc/passwd is
       “+” or empty; in every other case login will prompt for a password.

       Axspawn can create user accounts automatically. You may specify the user shell, first  and  maximum  user
       id,  group ID in the config file and (unlike WAMPES) create a file “/etc/ax25/ax25.profile” which will be
       copied to ~/.profile.


SECURITY
       Auto accounting is a security problem by definition. Unlike  WAMPES,  which  creates  an  empty  password
       field,  Axspawn  adds  an  “impossible”  ('+')  password  to /etc/passwd. Login gets called with the “-f”
       option, thus new users have the chance to login without a password. (I guess this  won't  work  with  the
       shadow password system).

       Of  course  axspawn  does  callsign  checking: Only letters and numbers are allowed, the callsign must be
       longer than 4 characters and shorter than 6 characters (without SSID). There must be at least one  digit,
       and max. two digits within the call. The SSID must be within the range of 0 and 15. Please drop me a note
       if  you  know  a  valid  Amateur  Radio  callsign that does not fit this pattern _and_ can be represented
       correctly in AX.25.

       axspawn also has the well known  authentication  mechanisms  of  the  AX.25  bbs  baycom  (sys)  and  md5
       standards.   axspawn  searches  in /etc/ax25/bcpasswd (first) and ~user/.bcpasswd (second) for a match of
       the required authentication mechanism and password.  md5 and baycom passwords may differ.  md5  passwords
       gain over baycom passwords.

       Note:  you could "lock" special "friends" out by specifying an empty password in /etc/ax25/bcpasswd (line
       "n0call:md5:"). -> md5 Passwords are enforced. But the length is shorter than the minimum (len 8 for md5,
       len 20 for baycom); user's password file is  not  searched  because  in  /etc/ax25/bcpasswd  its  already
       found..

       Syntax and caveeats for /etc/ax25/bcpasswd:
         - Has to be a regular file (no symlink). Not world-readable/writable.
         - Example lines:
           # Thomas
           dl9sau:md5:abcdefgh
           # Test
           te1st:sys:12345678901234567890
           # root
           root:md5:ziz7AoxuAt6jeuthTheexet0uDa9iefuAeph3eelAetahmi0
           # misconfiguration:
           thisbadlineisignored
           # With this line
           systempasswordonly
           # .. axspan will not look in user's homedir for his .bcpasswd

       Syntax and caveeats for user's .bcpasswd in his $HOME:
         - Has to be a regular file (no symlink). Neither group- nor world-
             read-/writable. Has to be owned by the user or uid 0 (root).
         - Example lines:
           # could be shorter
           md5:abcdefgh
           # should be longer
           sys:12345678901234567890


OPTIONS
       -p DB0FHN or --pwprompt DB0FHN
            While  baycom  or  md5  password authentication (see above), the password prompt is set to the first
            argument (DB0FHN in this example). This may be needed for some packet-radio  terminal  programs  for
            detecting the password prompt properly.

       -c, --changeuser
            Allow  connecting  ax25  users  to  change their username for login. They'll be asked for their real
            login name.

       -e, --embedded
            Special treatment for axspawn on non-standard conform embedded devices.  I.e. openwrt  has  no  true
            /bin/login: if you use it as a real login program, it raises a security hole.

       -r, --rootlogin
            Permit login as user root. Cave: only md5 or baycom style is allowed; no plaintext password.

       --only-md5
            Insist  in  md5 authentication during login. If no password for the user is found, or it is not md5,
            then no other login mechanism is granted.  This option, in combination with -c  and  -r,  may  be  a
            useful  configuration  for systems where no ax25 user accounts are available, but you as sysop would
            like to have a login access for your administrative tasks.

       -w, --wait
            Eats the first line the user sends. This feature is useful if you have TCP VC connects to  the  same
            Call+SSID.  It  is  now  obsolete,  because  ax25d  is  the right place for this and implements this
            functionality better.

       Theses are options and not part of the preferences because you _may_ like to have on every interface
       definition in ax25d.conf (where axspawn is started from) a different behaviour.


FILES
       /etc/passwd
       /etc/ax25/ax25.profile
       /etc/ax25/axspawn.conf
       /etc/ax25/bcpasswd
       ~/.bcpasswd


SEE ALSO
       axspawn.conf(5), ax25d(8).


AUTHOR
       Joerg Reuter DL1BKE <jreuter@poboxes.com>

Linux                                             13 April 2008                                       AXSPAWN(8)