Date: Thu, 21 May 1998 19:56:16 -0700 From: Mike Smith <mike@smith.net.au> To: Mike Fisher <mfisher@harborcom.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <199805220256.TAA06636@antipodes.cdrom.com> In-Reply-To: Your message of "Thu, 21 May 1998 23:22:48 EDT." <Pine.BSF.3.96.980521222333.262S-100000@d117-h041.rh.rit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, 21 May 1998, Mike Smith wrote:
>
> > If you wish to disable a user's account, you should set their shell to
> > something nonexistent. (Note that ssh may still be a way past this.)
>
> As is the login.conf(5) database, from what I can tell. If the disabled
> user drops in a .login_conf that sets the shell, it will work although
> they will need to modify their SHELL environmental variable if they're
> going to be doing much fun stuff.
>
> However, I just did some playing around with this on a 2.2.6-STABLE system
> and didn't seem to have any luck subverting the configured shell. (Read:
> assuming I configure .login_conf correctly, it is not being used
> correctly.)
from login.conf(5)
In FreeBSD, users may individually create a file called .login_conf in
their home directory using the same format, consisting of a single entry
with a record id of "me". If present, this file is used by login(1) to
set user-defined environment settings which override those specified in
the system login capabilities database. Only a subset of login capabili-
ties may be overridden, typically those which do not involve authentica-
tion, resource limits and accounting.
In addition, the 'shell' capability seems to be unimplemented. 8(
> With SSH, I was unable to do a login via RSA keys or password
> authentication with the shell set to /sbin/nologin. I'd assume that the
> ..shosts authentication would also be effectively broken.
That's bad, and effectively a bug in ssh.
--
\\ Sometimes you're ahead, \\ Mike Smith
\\ sometimes you're behind. \\ mike@smith.net.au
\\ The race is long, and in the \\ msmith@freebsd.org
\\ end it's only with yourself. \\ msmith@cdrom.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805220256.TAA06636>