461 lines
18 KiB
HTML
461 lines
18 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.3D.k">
|
|
<TITLE>The Answer Guy 55: Remote Login as 'root': Don't do it! (Except using SSH or ...)</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<P> <hr>
|
|
<!-- *** BEGIN navbar *** :::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<p align="center">
|
|
<A HREF="../lg_bytes55.html"><IMG ALT="[ Prev ]"
|
|
SRC="../../gx/navbar/prev.jpg"
|
|
WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom" >
|
|
<A HREF="../index.html"><IMG ALT="[ Table of Contents ]"
|
|
SRC="../../gx/navbar/toc.jpg"
|
|
WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
|
|
<A HREF="../../index.html"><IMG ALT="[ Front Page ]"
|
|
SRC="../../gx/navbar/frontpage.jpg"
|
|
WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<A HREF="../../faq/index.html"><IMG ALT="[ FAQ ]"
|
|
SRC="../../gx/navbar/faq.jpg"
|
|
WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/right.jpg"
|
|
WIDTH="15" HEIGHT="45" ALIGN="bottom" >
|
|
<A HREF="../lg_tips55.html"><IMG ALT="[ Next ]"
|
|
SRC="../../gx/navbar/next.jpg"
|
|
WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
|
|
<!-- *** END navbar *** :::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</p>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Guy</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
LinuxCare,
|
|
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 13 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>Remote Login as 'root': Don't do it! (Except using SSH or ...)</H3>
|
|
|
|
|
|
<p><strong>From michael.rees on Wed, 07 Jun 2000
|
|
</strong></p>
|
|
<!-- ::
|
|
Remote Login as 'root': Don't do it! (Except using SSH or ...)
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
:: -->
|
|
<P><STRONG>
|
|
Hi,
|
|
Sorry to bother you
|
|
but could you help me with the following??
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
i am running red hat linux 6.1 and am encountering some problems
|
|
i can login as root from the console but not from anywhere else
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
i have to login as webmaster on all other machines on ntwk
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
from nowhere, including the console, can i su once logged in as webmaster
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
any help would be appreciated
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Regards,
|
|
Michael
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Your system is enforcing a very reasonable policy by preventing
|
|
direct 'root' logins from over the network.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The best way to circumvent this policy is to use one of the
|
|
implementations of SSH (the original SSH by Tatu Ylonen, now owned
|
|
and commmercially available from DataFellows Inc
|
|
<A HREF="http://www.datafellows.com"
|
|
>http://www.datafellows.com</A>, or OpenSSH <A HREF="http://www.openssh.com"
|
|
>http://www.openssh.com</A> <TT>---</TT>
|
|
which is ironically at a .com rather than a .org domain, or the
|
|
GPL'd lsh at <A HREF="http://www.net.lut.ac.uk/psst"
|
|
>http://www.net.lut.ac.uk/psst</A>).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Any of these should allow you to access your system through
|
|
cryptographically secured authentication and session protocols that
|
|
protect you from a variety of sniffing, spoofing, TCP hijacking and
|
|
other vulnerabilties that are common using other forms of remote
|
|
shell access (such as telnet, and the infamous rsh and rlogin
|
|
packages).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
If you really insist on eliminating these policies from your
|
|
system you can edit files under <TT>/etc/pam.d</TT> that are used to
|
|
configure the options and restrictions of the programs that are
|
|
compiled against the PAM (pluggable authentication modules)
|
|
model and libraries. Here's an example of one of them
|
|
(<TT>/etc/pam.d/login</TT> which is used by the in.telnetd service):
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre>#
|
|
# The PAM configuration file for the Shadow `login' service
|
|
#
|
|
# NOTE: If you use a session module (such as kerberos or NIS+)
|
|
# that retains persistent credentials (like key caches, etc), you
|
|
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
|
|
# in order for login to stay around until after logout to call
|
|
# pam_close_session() and cleanup.
|
|
#
|
|
|
|
# Outputs an issue file prior to each login prompt (Replaces the
|
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
|
# auth required pam_issue.so issue=/etc/issue
|
|
|
|
# Disallows root logins except on tty's listed in /etc/securetty
|
|
# (Replaces the `CONSOLE' setting from login.defs)
|
|
auth requisite pam_securetty.so
|
|
|
|
# Disallows other than root logins when /etc/nologin exists
|
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
|
auth required pam_nologin.so
|
|
|
|
# This module parses /etc/environment (the standard for setting
|
|
# environ vars) and also allows you to use an extended config
|
|
# file /etc/security/pam_env.conf.
|
|
# (Replaces the `ENVIRON_FILE' setting from login.defs)
|
|
auth required pam_env.so
|
|
|
|
# Standard Un*x authentication. The "nullok" line allows passwordless
|
|
# accounts.
|
|
auth required pam_unix.so nullok
|
|
|
|
# This allows certain extra groups to be granted to a user
|
|
# based on things like time of day, tty, service, and user.
|
|
# Please uncomment and edit /etc/security/group.conf if you
|
|
# wish to use this.
|
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
|
# auth optional pam_group.so
|
|
|
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
|
# time restrainst on logins.
|
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
|
# as well as /etc/porttime)
|
|
# account requisite pam_time.so
|
|
|
|
# Uncomment and edit /etc/security/access.conf if you need to
|
|
# set access limits.
|
|
# (Replaces /etc/login.access file)
|
|
# account required pam_access.so
|
|
|
|
# Standard Un*x account and session
|
|
account required pam_unix.so
|
|
session required pam_unix.so
|
|
|
|
# Sets up user limits, please uncomment and read /etc/security/limits.conf
|
|
# to enable this functionality.
|
|
# (Replaces the use of /etc/limits in old login)
|
|
# session required pam_limits.so
|
|
|
|
# Prints the last login info upon succesful login
|
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
|
session optional pam_lastlog.so
|
|
|
|
# Prints the motd upon succesful login
|
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
|
session optional pam_motd.so
|
|
|
|
# Prints the status of the user's mailbox upon succesful login
|
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
|
|
# can also enable a MAIL environment variable from here, but it
|
|
# is better handled by /etc/login.defs, since userdel also uses
|
|
# it to make sure that removing a user, also removes their mail
|
|
# spool file.
|
|
session optional pam_mail.so standard noenv
|
|
|
|
# The standard Unix authentication modules, used with NIS (man nsswitch) as
|
|
# well as normal /etc/passwd and /etc/shadow entries. For the login service,
|
|
# this is only used when the password expires and must be changed, so make
|
|
# sure this one and the one in /etc/pam.d/passwd are the same. The "nullok"
|
|
# option allows users to change an empty password, else empty passwords are
|
|
# treated as locked accounts.
|
|
#
|
|
# (Add `md5' after the module name to enable MD5 passwords the same way that
|
|
# `MD5_CRYPT_ENAB' would do under login.defs).
|
|
#
|
|
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
|
|
# login.defs. Also the "min" and "max" options enforce the length of the
|
|
# new password.
|
|
|
|
password required pam_unix.so nullok obscure min=4 max=8
|
|
|
|
# Alternate strength checking for password. Note that this
|
|
# requires the libpam-cracklib package to be installed.
|
|
# You will need to comment out the password line above and
|
|
# uncomment the next two in order to use this.
|
|
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
|
|
#
|
|
# password required pam_cracklib.so retry=3 minlen=6 difok=3
|
|
# password required pam_unix.so use_authtok nullok md5
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
This is from my <A HREF="http://www.debian.org/">Debian</A> laptop (mars.starshine.org) and thus has
|
|
far more comments (all those lines starting with "#" hash marks)
|
|
than those that <A HREF="http://www.redhat.com/">Red Hat</A> installs. It's good that Debian comments
|
|
these files so verbosely, since that's practically the only
|
|
source of documentation for PAM files and modules.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
In this case the entry that you really care about is the
|
|
one for 'securetty.so' This module checks the file
|
|
<TT>/etc/securetty</TT> which is classically a list of those terminals
|
|
on which your system will allow direct root logins.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
You could comment out this line in <TT>/etc/pam.d/login</TT> to
|
|
disable this check for those services which call the
|
|
<TT>/bin/login</TT> command. You can look for similar lines in
|
|
the various other <TT>/etc/pam.d</TT> files so see which other
|
|
services are enforcing this policy.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
This leads us to the question of why your version of 'su'
|
|
is not working. Red Hat's version of 'su' is probably
|
|
also "PAMified" (almost certainly, in fact). So there
|
|
should be a <TT>/etc/pam.d/su</TT> file that controls the list of
|
|
policies that your copy of 'su' is checking. You should
|
|
look through that to see why 'su' isn't allowing your
|
|
'webmaster' account to become 'root'.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
It seems quite likely that your version of Red Hat contains
|
|
a line something like:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre># Uncomment this to force users to be a member of group root
|
|
# before than can use `su'. You can also add "group=foo" to
|
|
# to the end of this line if you want to use a group other
|
|
# than the default "root".
|
|
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
|
auth required pam_wheel.so
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
Classically the 'su' commands on most versions of UNIX
|
|
required that a user be in the "wheel" group in order to
|
|
attain 'root' The traditional GNU implementation did not
|
|
enforce this restriction (since rms found it distasteful).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
On my system this line was commented out (which is presumably
|
|
the Debian default policy, since I never fussed with that
|
|
file on my laptop). I've uncommented here for this example.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Note that one of the features of PAM is that it allows you
|
|
to specify any group using a command line option. It defaults
|
|
to "wheel" because that is an historical convention. You can
|
|
also use the pam_wheel.so module on any of the PAMified
|
|
services <TT>---</TT> so you could have programs like 'ftpd' or
|
|
'xdm' enforce a policy that restricted their use to members
|
|
of arbitrary groups.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Finally note that most recent versions of SSH have PAM support
|
|
enabled when they are compiled for Linux systems. Thus you
|
|
may find, after you install any version of SSH, that you have
|
|
an <TT>/etc/pam.d/ssh</TT> file. You may have to edit that to set some
|
|
of your preferred SSH policies. There is also an sshd_config
|
|
file (mine's in <TT>/etc/ssh/sshd_config</TT>) that will allow you to
|
|
control other ssh options).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
In generall the process of using ssh works something like this:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><ol>
|
|
<li>Install the sshd (daemon) package on your servers (the systems
|
|
that you want to access)
|
|
<li> Install the ssh client package on your clients (the systems
|
|
from which you'd like to initiate your connections).
|
|
<li> Generate Host keys on all of these systems (normally done
|
|
for you by the installation).
|
|
</ol></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
.... you could stop at this point, and just start using the
|
|
ssh and slogin commands to access your remote accounts using
|
|
their passwords. However, for more effective and convenient use
|
|
you'd also:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><ol start="4">
|
|
<li> Generate personal key pairs for your accounts.
|
|
<li> Copy/append the identity.pub (public) keys from
|
|
each of your client accounts into the <tt>~/.ssh/authorized_keys</tt>
|
|
files on each of the servers.
|
|
</ol></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
This allows you to access those remote accounts without using
|
|
your passwords on them. (Actually sshd can be configured to
|
|
require the passwords AND/OR the identity keys, but the default
|
|
is to allow access without a password if the keys work).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Another element you should be aware of is the "passphrases" and
|
|
the ssh-agent. Basically it is normal to protect your private
|
|
key with a passphrase. This is sort of like a password <TT>---</TT> but
|
|
it is used to decrypt or "unlock" your private key. Obviously
|
|
there isn't much added convenience if you protect your private
|
|
key with a passphrase so that you have to type that every time
|
|
you use an ssh/slogin or scp (secure remote copy) command.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
ssh-agent allows you to start a shell or other program, unlock
|
|
your identity key (or keys), and have all of the ssh commands
|
|
you run from any of the descendents of that shell or program
|
|
automatically use any of those unlocked keys. (The advantage
|
|
of this is that the agent automatically dies when you exit the
|
|
shell program that you started. That automatically "locks" the
|
|
identity <TT>---</TT> sort of.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
There are alot of other aspects to ssh. It can be used to
|
|
create tunnels, through which one can use all sorts of
|
|
traffic. People have created PPP/TCP/IP tunnels that run
|
|
through ssh tunnels to support custom VPNs (virtual private
|
|
networks). When run under X, ssh automatically performs
|
|
"X11 forwarding" through one of the these tunnels. This
|
|
is particularly handy for running X clients on remote systems
|
|
beyond a NAT (IP Masquerading) router or through a proxying
|
|
firewall.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
In other words ssh is a very useful package quite apart from
|
|
its support for cryptographic authentication and encryption.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
In fairness I should point out that there are a number of
|
|
alternatives to ssh. Kerberos is a complex and mature suite
|
|
of protocols for performing authentication and encryption.
|
|
STEL is a simple daemon/client package which functions just
|
|
like telnetd/telnet <TT>---</TT> but with support for encrypted sessions.
|
|
And there are SSL enabled versions telnet and ftp daemons and
|
|
clients.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Another issue where I talked a bit about crypto software
|
|
available for Linux:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQuote>
|
|
<A HREF="http://www.linuxgazette.com/issue35/tag/crypto.html"
|
|
>http://www.linuxgazette.com/issue35/tag/crypto.html</A>
|
|
</BLOCKQuote></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Another issue where I answer questions about remote root
|
|
logins:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQuote>
|
|
<A HREF="http://www.linuxgazette.com/issue35/tag/remoteroot.html"
|
|
>http://www.linuxgazette.com/issue35/tag/remoteroot.html</A>
|
|
</BLOCKQuote></BLOCKQUOTE>
|
|
|
|
<!-- end 13 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> </p>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 2000, James T. Dennis
|
|
<BR>Published in <I>The Linux Gazette</I> Issue 55 July 2000</H5>
|
|
<H6 ALIGN="center">HTML transformation by
|
|
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
|
|
Tuxtops, Inc.,
|
|
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
|
|
</H6>
|
|
<P> <hr>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<p align="center">
|
|
<table width="100%" border="0"><tr>
|
|
<td align="right" valign="center"
|
|
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0">
|
|
<A HREF="../lg_answer55.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
|
|
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
|
|
<td align="center" valign="center"><A HREF="../lg_answer55.html#greeting"><img align="middle"
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A>
|
|
<A HREF="1.html">1</A>
|
|
<A HREF="2.html">2</A>
|
|
<A HREF="3.html">3</A>
|
|
<A HREF="4.html">4</A>
|
|
<A HREF="5.html">5</A>
|
|
<A HREF="6.html">6</A>
|
|
<A HREF="7.html">7</A>
|
|
<A HREF="8.html">8</A>
|
|
<A HREF="9.html">9</A>
|
|
<A HREF="10.html">10</A>
|
|
<A HREF="11.html">11</A>
|
|
<A HREF="12.html">12</A>
|
|
<A HREF="13.html">13</A>
|
|
<br>
|
|
<A HREF="14.html">14</A>
|
|
<A HREF="15.html">15</A>
|
|
<A HREF="16.html">16</A>
|
|
<A HREF="17.html">17</A>
|
|
<A HREF="18.html">18</A>
|
|
<A HREF="19.html">19</A>
|
|
<A HREF="20.html">20</A>
|
|
<A HREF="21.html">21</A>
|
|
<A HREF="22.html">22</A>
|
|
</td>
|
|
<td align="left" valign="center"><A HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
|
|
ALT="[ Index of Past Answers ]" border="0"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
|
|
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
|
|
</p>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<P> <hr>
|
|
<!-- *** BEGIN navbar *** :::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<p align="center">
|
|
<A HREF="../lg_bytes55.html"><IMG ALT="[ Prev ]"
|
|
SRC="../../gx/navbar/prev.jpg"
|
|
WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom" >
|
|
<A HREF="../index.html"><IMG ALT="[ Table of Contents ]"
|
|
SRC="../../gx/navbar/toc.jpg"
|
|
WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
|
|
<A HREF="../../index.html"><IMG ALT="[ Front Page ]"
|
|
SRC="../../gx/navbar/frontpage.jpg"
|
|
WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<A HREF="../../faq/index.html"><IMG ALT="[ FAQ ]"
|
|
SRC="../../gx/navbar/faq.jpg"
|
|
WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/right.jpg"
|
|
WIDTH="15" HEIGHT="45" ALIGN="bottom" >
|
|
<A HREF="../lg_tips55.html"><IMG ALT="[ Next ]"
|
|
SRC="../../gx/navbar/next.jpg"
|
|
WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
|
|
<!-- *** END navbar *** :::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</p>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|