
                      UPMLOGIN V1.01 Readme
                      ====================

Contents
========
1. What is the UPMLOGIN package for ?
2. Install and configure TNLOGIN
3. Prerequisites/Restrictions/Limitations
4. Freeware license
5. Disclaimer
6. Check the archive integrity with
   Pretty Good Privacy (PGP)
7. Author




1. What is the UPMLOGIN package for ?
=====================================

UPMLOGIN provides a replacement program for TNLOGIN.EXE.  This
program is part of the IBM TCP/IP package and verifies the
password for telnet logins.  The default TNLOGIN program has
several shortcomings:  first of all, it searches for an
environment variable, which is to hold the telnet login
password.  That means, whoever has read access to the CONFIG.SYS
of the machine once, knows the password for telnet logins.
More, there is no real user verification, that is, there is only
one password to be configured instead of a userid/password
combination.

There are several TNLOGIN replacements. Some of them use the
unix-like passwd file, but this one uses the local User Profile
Management of a Peer or a File and Print Client installation or
a LAN/WARP Server Client. That way you can configure users in
the UPM GUI.

Another option is to verify the user/password combination
against the User Profile Management of the default domain of the
workstation, which is hosting the telnet server (see next
section). This enables users to login always with their current
LAN/WARP Server Logon password.



2. Install and configure TNLOGIN
================================

Run install.cmd to install the UPMLOGIN package into
your TCP/IP program direcotry and the %ETC% directory.
More, a WPS folder with some program objects is created,
which give you direct access to message files and
log files and the User Profile Management.

INSTALL.CMD makes a backup copy of your old TNLOGIN.EXE, before
it copies the replacement for it.

Then you have to configure telnet login users (and, if you like
to, additional restrictions for telnet login in the "User
Profile Management" (UPM) of OS/2. See the following feature
list for details.

UPMLOGIN comes with english and german National Language Support.
If your TCP/IP is a german version, the german NLS will be
installed. Otherwise the english NLS will be installed.


Features:
---------

  Autodisplay of textfiles
  ------------------------
  - the contents of the file %ETC%\issue is displayed before a
    login, if it exists.
  - the contents of the file %ETC%\motd (motto of he day) is
    diplayed after a successful login, if it exists.

  UPMLOGIN comes with two default files. You may want to either
  delete both filse or clear its contents or edit them to change
  the text to something meaningful.


  Logging facility for login attempts
  -----------------------------------
  - good logins are logged to %ETC%\tnlogin.log
  - bad logins are logged to %ETC%\tnlogin.err


  Login error handling
  --------------------
  - In case of error, TNLOGIN waits for 5 seconds after login,
    so that one can read the error message, before telnetd
    clears the screen. If you configured all or certain users
    for debug output (see below), instead of a 5 second delay
    TNLOGIN waits for a key being pressed.


  Domain, Group Membership and Privilege Verification
  ---------------------------------------------------

  TNLOGIN searches the local UPM for a special configuration
  user account named TNUSER and a special group TNLOGIN. If both
  do not exist, beside the verification of the userid/password
  combination no other verification takes place. The following
  section explains how to use the TNUSER account and the TNLOGIN
  group within local UPM is used to configure additional group
  membership and privilege verification.

  There are other special groups, that are searched for:

   - TNLOGIN_VERIFYDOMAIN
     If the TNUSER configuration user account is member of that
     group, the userid/password combination is verified against
     the default domain of the workstation hosting the telnet
     server. This enables users to login always with their
     current LAN/WARP Server logon password. In order to verify
     only certain users against the domain, do not add TNUSER to
     that group, but make only those certain users a member of
     the TNLOGIN_VERIFYDOMAIN group.

   - TNLOGIN_VERIFYLOCAL
     Normally you do not need this group, because local
     verification is default. This group is useful, if you want
     TNLOGIN to verify most users against the domain (thus you
     add TNUSER to the TNLOGIN_VERIFYDOMAIN group), but let a
     few be verified locally. For that you add only those users
     to the group TNLOGIN_VERIFYLOCAL.

   - TNLOGIN_DEBUG
     If the TNUSER configuration user account is member of that
     group, additional debug information is displayed during
     login for all users and a pause command is executed after
     a login error. If you make only certain users a member of
     this group, only for them additional debug information is
     displayed and a pause command executed after a login error.

  Note:
  -----
   - all group membership verifications are done against local
     UPM, even when domain verification is activated for the
     userid/password combination.

   - The TNUSER configuration account in the local UPM may be an
     inactive dummy account.

     If a user needs to be a member of a local group then, also
     an inactive dummy account for that user within the local
     UPM is sufficient for this.

   - When using TNLOGIN on server machines, the local UPM is
     identical to the domain UPM. Always use local verification
     here, so that a (GUEST) logon is not required.



  The following is required for a successful telnet login:
  ........................................................

  -> if the group TNLOGIN exists, a user must be a member of
     this group.

  -> if the configuration user account TNUSER exists, a login
     user must be in one of the groups, of which the TNLOGIN
     account is member of.

     Exeption of this rule are the system groups (ADMINS and
     USERS) and the special groups TNLOGIN_*

     If TNLOGIN is not member of any non-system group and
     special TNLOGIN_* group, this verification is skipped
     completely.

  -> if the TNLOGIN account is an administrator, a login user
     also needs to be an admin.

  -> Normally all userid/password combinations are verfied
     against the local UPM. If the configuration user account
     TNUSER is member of a special group named
     TNLOGIN_VERIFYDOMAIN, all userid/password combinations are
     verfied against the default domain of the workstation,
     which is hosting the telnet server. (Hint: IBMLAN.INI
     contains the name of the default domain.)

     If only certain users are member of the group
     TNLOGIN_VERIFYDOMAIN, only those users login is verified
     against the domain.

     Domain verification requires a domain logon on the system
     hosting the telnet server. If no logon is currently active,
     TNLOGIN tries to logon the GUEST id with no password. This
     logon is left active afterwards, so that a subsequent
     TNLOGIN does not need to logon again.

     If you want all users to be verified against the domain,
     but let a few be verified locally, let TNUSER be a member
     of TNLOGIN_VERIFYDOMAIN, but add those exceptions to the
     special group TNLOGIN_VERIFYLOCAL.


     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
             See my homepage for further details
                  about configuring UPMLOGIN !
     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



3. Prerequisites/Restrictions/Limitations
=========================================

This package requires one of the following TCP/IP packages being
installed:

- IBM TCP/IP for OS/2
- Internet Access Kit for OS/2


Further, one of the following client packages are required:

For OS/2 WARP 3:
- Peer Client for OS/2

For OS/2 WARP 4:
- File and Print Client

or for all OS/2 versions:
 - LAN/WARP Server Client for OS/2


Note:
-----
- For verifications against a LAN/WARP Server domain, a GUEST
  account without a password is required to be defined in that
  domain.

- One cannot login through TNLOGIN using the GUEST account,
  because GUEST accounts normally do not have a password.

- for enabling you to create the special groups
  TNLOGIN_VERIFYDOMAIN and TNLOGIN_DEBUG, the installation
  program calls the UPMCSET utilitiy of the User Profile
  Management in order to activate the extended character set.
  This is required to allow both underscores and longer names
  than eight characters being used.

  If you wish, you can reset to the minimal characterset again
  after having created those special groups, because the used
  characterset is only checked for during the creation of user
  and group names. To reset to the minimal characterset execute
  the following command:

  UPMCSET /M



4. Freeware license
===================

This software package is freeware.
It can be used wherever you use OS/2 WARP Version 3 or later.

You are allowed to freely use and distribute UPMLOGIN as long as

 -  UPMLOGIN is not sold as a part of another program package;
 -  no fee is charged for the program other than for cost of
    media;
 -  the complete package is distributed unmodified in the
    original and unmodified zip file;
 -  you send me some e-mail telling me how you liked it (or
    didn't like it), and/or your suggestions for enhancements.



5. Disclaimer
=============

Since this program is free, it is supplied with no warranty,
either expressed or implied.

I disclaim all warranties for any damages, including, but not
limited to, incidental or consequential damage caused directly
or indirectly by this software.

All software is supplied AS IS. You may use the UPMLOGIN package
only at your own risk.

UPMLOGIN must not be used in states that do not allow the above
limitation of liability.




6. Check the archive integrity with
   Pretty Good Privacy (PGP)
===================================

On my homepage I provide a detached signature certificate,
with which you can verify, that you downloaded an unmodified
version of this archive.

See my web pages also
- for links to PGP sites, where you can obtain further
  information on what PGP is and how you can install and use it
  under OS/2
- a manual for how to use PGP for the usage of such signature
  certificates.

See section "Author" for the location of my homepage.



7. Author
=========

This program is written by Christian Langanke.

You can contact the author via internet e-mail.

Send your email to C.Langanke@TeamOS2.de

You can also visit my home page and download more free OS/2
utilities at:

     http://www.online-club.de/m1/clanganke

