|
|
| Author |
Message |
| 25 new of 467 responses total. |
cross
|
|
response 25 of 467:
| 
Dec 28 00:51 UTC 2003 |
Customizing grex too much makes me cringe. Things like login changes scare
me a little. Are they slightly more friendly? Yeah, maybe. Do many users
notice? Probably not. Is it worth integrating changes into login every
time we upgrade grex? I should think definitely not.
|
janc
|
|
response 26 of 467:
|
Dec 28 02:04 UTC 2003 |
It's a definite trade off.
Our past experience was that changing "login incorrect" to a more specific
message, like "login does not exist" or "password incorrect" or "account
locked" reduced the number of requests for help to staff significantly and
also made the help requests substantially less confused. That meant that
the problem could often be solved in one interation, instead of having to
write back and forth a few times before you and the user had figured out
why they couldn't log in.
I think login actually prints a few lines of explanation for things like
locked accounts, together with a url of a page that explains more.
So it's a fairly simple change to 'login' that results in a substantial
reduction in staff time needed to support users.
I package things like this up as a patch applied to the stock login
code. Odds are reasonably good that the patch will apply cleanly in the
next release. Eventually it will fail and need to be fixed up manually.
Such is life.
I think this is a mod worth the effort.
|
janc
|
|
response 27 of 467:
|
Dec 28 02:10 UTC 2003 |
I checked that backtalk, party and orville write all handle long login names.
They do. Good work on my part. I thought for sure party would have problems,
but it's fine.
Some of the stock utilities are less than brilliant. Here's finger output:
Login Name Tty Idle Login Time Office Office Phone
bhoward Bruce Howard p4 49 Sat 20:03 Tokyo
cross Dan Cross p0 49 Thu 21:53
gelinas Joe Gelinas p3 - Sat 20:53
janc Jan Wolter p1 49 Sat 01:34
janc Jan Wolter p2 - Fri 12:31
userwithaverylongname User With a Very Lon *p5 - Sat 20:19
I'd have tried harder to keep the columns lined up, truncating gecos more
if necessary, like this:
Login Name Tty Idle Login Time Office Office Phone
bhoward Bruce Howard p4 49 Sat 20:03 Tokyo
cross Dan Cross p0 49 Thu 21:53
gelinas Joe Gelinas p3 - Sat 20:53
janc Jan Wolter p1 49 Sat 01:34
janc Jan Wolter p2 - Fri 12:31
userwithaverylongname User Wi *p5 - Sat 20:19
I'm tempted to set newuser's limit at something like 14. This would be
no help at all with code problems, but it'd avoid some ugliness in screens
formatted with the assumption that login names aren't too long.
|
gelinas
|
|
response 28 of 467:
|
Dec 28 02:19 UTC 2003 |
I, too, think the changes are worth the effort.
|
cross
|
|
response 29 of 467:
|
Dec 28 02:31 UTC 2003 |
Similarly, the output of `w' is ugly, as is that of `who'. And are we
going to modify every utility to deal with our own non-standard login
name sizes?
Has the lack of support for login names longer than eight characters ever
been recognized as a problem before? And if not, why not just leave
the limit at eight? It's what most of the rest of the world assumes;
why make bother being different if it's not a real problem? If it ain't
broke, don't fix it.
About the login mods....I read the staff mailing list. Usually, the
questions from people who's accounts have been locked say things along
the lines of, ``Why can't I login? It says account locked; what gives?''
It strikes me that a quick `grep' can be just as effective in figuring
out what's going on with a user. Perhaps a `userstat' command that
picks out information and recent actions about and on an account would
be helpful (actually, I think it'd be helpful regardless of whether the
login mods stay or not). Changing a user's shell to a program that just
prints out a message and logs them out would be just as effective and
certainly more durable than a patch to login. At anyrate, I don't buy
the argument that patching login saves staff a lot of work.
|
cross
|
|
response 30 of 467:
|
Dec 28 02:31 UTC 2003 |
Joe slipped in.
|
gelinas
|
|
response 31 of 467:
|
Dec 28 03:06 UTC 2003 |
From what I've seen above, the only "modification" needed for long names
is setting a constant.
I've listened to arguments, on other other systems, about customised login
error messages. In general, the customised messages have made life easier
for the users, especially when there are several different reasons for
any particular account to not work. For example:
Your password is correct but you are not authorised to use
this service
Another change was occasioned by the proliferation of a .login trojan
that mimicked the standard failed-login sequence and then collected the
re-entered password and mailed it off to the 'bad guys.' Changing the
error message helped alert users to the real problem and let us track
down the modified files, e'en if we didn't find the perpetrators.
(I'm fairly certain that the trojan was spread as an IRC client: "Telnet
here, log in with this name and password, and it will install IRC on
your account.")
|
cross
|
|
response 32 of 467:
|
Dec 28 04:48 UTC 2003 |
I've usually handled the ``you can't login to this server'' thing
with a special shell. In fact, I wrote one once that did the job
pretty well. I can kind of see the thwarting trojans thing, but
I'm not convinced it's that much of a win.
|
janc
|
|
response 33 of 467:
|
Dec 28 13:58 UTC 2003 |
OpenBSD by default allows 31 character logins. No modification to the
system is needed to do that. If we want shorter logins, then we just
don't issue long ones. That's mostly up to newuser.
Unixes with longer logins are not that unusual these days. I would
expect just about any modern, actively maintained software package to
include support. Where we are likely to find problems is more in
locally written packages that aren't widely distributed. The ones I'd
most worry about are Picospan and Marcus's old sendmail.
I haven't seen people complain about the 8 character limit, but I've
seen hundreds of logins like "unixwzrd" that are in themselves an
implicit complaint about short logins. I myself use logins like
"janwolter" on many sites. So far we haven't run across any software
that has real problems with long logins. If we do, it's a trivial
change to newuser to not issue long logins. But I'm hoping we can run
with them.
|
janc
|
|
response 34 of 467:
|
Dec 30 05:28 UTC 2003 |
Finished web-newuser. I've placed password protection on the entire cgi-bin
directory so it can't be run by non-staff yet.
All source and install scripts and instructions are in CVS.
|
janc
|
|
response 35 of 467:
|
Dec 30 06:12 UTC 2003 |
Installed idled from ports tree and set up a config file for it similar to
the one on old Grex. Haven't tested it or put it into an rc file yet.
|
janc
|
|
response 36 of 467:
|
Dec 30 06:42 UTC 2003 |
Added a TO_DO file to the CVS archive. Current contents:
--------------------------------------------------------------------------
Disk Quotas -
Somebody set these up on the openbsd 3.3, but I forgot who and have not
got around to searching for the documentation that I think was posted to
the bbs.
- Needs to get into the document archive
- Newuser needs to be modified to initialize quotas correctly.
Fork Bomb Killer -
On Grex this is a kernal mod that kills all a user's processes if he tries
to get too many. An equivalent for OpenBSD would be nice.
Login Mods -
Grex's login program gives more friendly error messages than the stock one.
Are there other mods?
Queuing Telnet Daemon -
We are probably going to skip this
Mail Modifications -
Various customizations to sendmail and mailers:
- Hierarchical mail directories
- mailbox size quotas
- spam filters
Robocop -
Needs to be ported. bhoward is looking at it.
Newuser/web-newuser -
mostly done. Quota code needs work.
Picospan
Menu shell
Help/Change scripts -
How many of these have been done?
Zapuser, lockuser -
Joe is looking at these.
----------------------------------------------------------------------------
There's probably a lot I am forgetting.
|
naftee
|
|
response 37 of 467:
|
Dec 30 18:55 UTC 2003 |
ftp daemon? IRC server?
|
remmers
|
|
response 38 of 467:
|
Dec 30 22:17 UTC 2003 |
(Just for funzies, I ran useradd on the CVS server and created a longish
login id. Yep, it actually did it. Yep, the output of "who" looks sucky.)
|
naftee
|
|
response 39 of 467:
|
Dec 31 02:07 UTC 2003 |
Show us!
|
gelinas
|
|
response 40 of 467:
|
Dec 31 05:29 UTC 2003 |
I don't think I'm going to be able to fix zapuser. As Jan indicated
somewhere, it's probably going to need a thorough re-write.
|
remmers
|
|
response 41 of 467:
|
Dec 31 14:04 UTC 2003 |
Re #39:
remmers ttyp0 Dec 31 08:53
thisisalongloginid ttyp1 Dec 31 08:54
johnremmers ttyp2 Dec 31 08:57
|
naftee
|
|
response 42 of 467:
|
Dec 31 17:54 UTC 2003 |
re 41 You're right, that's horrible
|
jlamb
|
|
response 43 of 467:
|
Jan 2 00:45 UTC 2004 |
This response has been erased.
|
gelinas
|
|
response 44 of 467:
|
Feb 1 07:42 UTC 2004 |
It's been a while since any one has said anything here. In the interim, we
have:
enabled quotas
set up and started named
started moving the scripts from /usr/local/grex-scripts
made progress on zapuser (thank you, janc. :)
started transferring the grex web site
(try: http://grease.cyberspace.org/ )
and probably some other things I've forgotten.
|
albaugh
|
|
response 45 of 467:
|
Feb 4 18:18 UTC 2004 |
Where was this linked from?
|
cmcgee
|
|
response 46 of 467:
|
Feb 4 18:29 UTC 2004 |
I just linked this item from garage at the request of a garage participant,
gelinas.
|
gelinas
|
|
response 47 of 467:
|
Feb 4 19:03 UTC 2004 |
(And it was linked _to_ coop. Thank you, cmcgee. :)
|
drew
|
|
response 48 of 467:
|
Feb 4 22:08 UTC 2004 |
Re way back there: Anyone ever considered eliminating case sensitivity in
logins?
|
gelinas
|
|
response 49 of 467:
|
Feb 4 22:17 UTC 2004 |
I think all are agreed that it is NOT a good idea to have Drew, DREW and
drew refer to more than one person.
|
