md5 and sys authentication via /etc/ax25/bcpasswd and $HOME/bcpasswd.

	Documented in axspawn.8
	Thanks to Christoph <dk2crn> for contribution.

1 files changed, 71 insertions, 3 deletions

diff --git a/ax25/axspawn.8 b/ax25/axspawn.8
index ccb6934..5d6f6b0 100644
--- a/ax25/axspawn.8
+++ b/ax25/axspawn.8
@@ -2,7 +2,7 @@
 .SH NAME
 axspawn \- Allow automatic login to a Linux system.
 .SH SYNOPSIS
-.B axspawn [--wait, -w]
+.B axspawn [--pwprompt PR0MPT, -p PR0MPT] [--changeuser, -c] [--rootlogin, -r] [--only-md5] [--wait, -w]
 .SH DESCRIPTION
 .LP
 .B Axspawn
@@ -32,11 +32,75 @@ SSID). There must be at least one digit, and max. two digits within the
 call. The SSID must be within the range of 0 and 15. Please drop me a note
 if you know a valid Amateur Radio callsign that does not fit this pattern
 _and_ can be represented correctly in AX.25.
+.LP
+axspawn also has the well known authentication mechanisms of the AX.25 bbs
+.B baycom (sys)
+and
+.B md5
+standards.
+axspawn searches in /etc/ax25/bcpasswd (first) and ~user/.bcpasswd (second)
+for a match of the required authentication mechanism and password.
+md5 and baycom passwords may differ. md5 passwords gain over baycom passwords. 
+
+Note: you could "lock" special "friends" out by specifying an empty password
+in /etc/ax25/bcpasswd (line "n0call:md5:"). -> md5 Passwords are enforced. But
+the length is shorter than the minimum (len 8 for md5, len 20 for baycom);
+user's password file is not searched because in /etc/ax25/bcpasswd its already
+found..
+
+Syntax and caveeats for /etc/ax25/bcpasswd: 
+  - Has to be a regular file (no symlink). Not world-readable/writable.
+  - Example lines:
+    # Thomas
+    dl9sau:md5:abcdefgh
+    # Test
+    te1st:sys:12345678901234567890
+    # root
+    root:md5:ziz7AoxuAt6jeuthTheexet0uDa9iefuAeph3eelAetahmi0
+    # misconfiguration:
+    thisbadlineisignored
+    # With this line
+    systempasswordonly
+    # .. axspan will not look in user's homedir for his .bcpasswd
+
+Syntax and caveeats for user's .bcpasswd in his $HOME:
+  - Has to be a regular file (no symlink). Neither group- nor world-
+      read-/writable. Has to be owned by the user or uid 0 (root).
+  - Example lines:
+    # could be shorter
+    md5:abcdefgh
+    # should be longer
+    sys:12345678901234567890
+
 .SH OPTIONS
 .TP 5
+.B -p DB0FHN or --pwprompt DB0FHN
+While baycom or md5 password authentication (see above), the password prompt
+is set to the first argument (DB0FHN in this example). This may be needed
+for some packet-radio terminal programs for detecting the password prompt
+properly.
+.TP 5
+.B -c, --changeuser
+Allow connecting ax25 users to change their username for login. They'll be
+asked for their real login name. 
+.TP 5
+.B -r, --rootlogin
+Permit login as user root. Cave: only md5 or baycom style is allowed; no
+plaintext password.
+.TP 5
+.B --only-md5
+Insist in md5 authentication during login. If no password for the user is
+found, or it is not md5, then no other login mechanism is granted.
+This option, in combination with -c and -r, may be a useful configuration for
+systems where no ax25 user accounts are available, but you as sysop would
+like to have a login access for your administrative tasks.
+.TP 5
 .B -w, --wait
-Disables the prompting for a password if the password entry in /etc/passwd
-is either a \(lq+\(rq or blank.
+Eats the first line the user sends. This feature is useful if you have
+TCP VC connects to the same Call+SSID. It is now obsolete, because
+ax25d is the right place for this and implements this functionality better.
+.TP 5
+Theses are options and not part of the preferences because you _may_ like to have on every interface definition in ax25d.conf (where axspawn is started from) a different behaviour.
 .SH FILES
 .nf
 /etc/passwd
@@ -45,6 +109,10 @@ is either a \(lq+\(rq or blank.
 .br
 /etc/ax25/axspawn.conf
 .fi
+/etc/ax25/bcpasswd
+.fi
+~/.bcpasswd
+.fi
 .SH "SEE ALSO"
 .BR axspawn.conf (5),
 .BR ax25d (8).