TIP: Click on subject to list as thread! ANSI
echo: novell
to: ALL
from: Mike
date: 1995-12-09 00:00:00
subject: Re: bypassing login/password prompt from netware 3.xx?
From: Mike 
Subject: Re: bypassing login/password prompt from netware 3.xx?
Date: 1995/12/09
Message-ID: #1/1
references:      
to: mboyum@james.scs.no
content-type: text/plain; charset=us-ascii
organization: SIG NET
mime-version: 1.0
newsgroups: comp.os.netware.misc,bit.listserv.novell,fido.novell,comp.os.netware.connectivity,comp.sys.novell
x-mailer: Mozilla 1.22 (Windows; I; 16bit)

Magne Boyum  wrote:
>Richard Finegold wrote:
>>
>> Heinz Wieczorek  wrote:
>> >login username >
>> With what version of LOGIN.EXE are you able to do this?  This doesn't
>> work for me with 3.75; it completely ignores the password and acts
>> like I typed in an incorrect password.
>
>If you try doing a pipe instead this works fine with every version of
LOGIN.EXE:
>
>echo password|login username
>             ^ This is the pipe-character with NO spaces before or after
it.

Every approach to this problem has some drawbacks.

The drawback to piping the password is that if anything goes wrong, and
from time to time it does, the PC is locked up, ignoring the keyboard.

A better solution is to use the "KEYSTUFF.COM" program.  It puts it's
arguments into the keyboard buffer and adjusts the need pointers so the
next call to the get key routines will retrieve what was stuffed.

KEYSTUFF is available from PC-Magazine, I think.  It's a 58 byte program,
and it is not a TSR.

In a batch file you'd have commands something like this.....

keystuff dogface~
login backdoorman

When login needed a password, "dogface" with a carraige return would be
there.

Since I said that there are disadvantages to every approach, let me
explain the disadvantages to this one.  The keyboard buffer is normally
limited to 15 bytes, so the length of the password is limited.  If
utilities are used to increase the size of the keyboard buffer, a simple
program like KEYSTUFF might not recognize the changed situation and be
able to deal with it appropriately.

If you can't find KEYSTUFF, just send me an email with the subject "GET
STUFFED" and I'll send it to you.

I first wrote this several days ago, but my news server had run out of 
disk space, and was rejecting new messages, so I saved the message and 
waited.  While I waited, another thought came to me.  Why not have an 
account with no password?  If you limit the number of simultaneous logins 
to the appropriate number and/or limit the physical nodes that the 
account may login from, you have restricted the access.  The password on 
the account isn't really keeping anyone who knows what's going on out of 
the account..... they just need to go to that machine and examine the 
batch files.  So, security is not really weakened by using other limits 
on the appropriate accounts.  The only drawback to this approach is that 
if the NIC is changed in the PC, you need to also change the list of 
allowable machines, and you may also need to change the network, if you 
move the machines to different network segments or change the network 
address of a segment.


Hope these comments are of some use,
Mike
SOURCE: echoes via archive.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.