Date: Fri, 22 May 1998 07:24:54 -0600 From: Wes Peters <wes@softweyr.com> To: Philippe Regnauld <regnauld@deepo.prosa.dk> Cc: Mike Smith <mike@smith.net.au>, freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <35657CA6.D93AC10D@softweyr.com> References: <19980521183148.07894@deepo.prosa.dk> <199805212338.QAA05467@antipodes.cdrom.com> <19980522101215.41390@deepo.prosa.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Philippe Regnauld wrote:
> Ok -- just referrring to the man page:
>
> The password field is the encrypted form of the password. If the
> password field is empty, no password will be required to gain access to
> the machine. This is almost invariably a mistake. Because these files
> contain the encrypted user passwords, they should not be readable by any-
> one without appropriate privileges. Administrative accounts have a pass-
> word field containing an asterisk `*' which disallows normal logins.
>
> ... it doesn't mention the fact that they _also_ have an invalid
> shell.
Yeah, this little bit of UNIX arcana has been batted back and forth
for years. At least FreeBSD *has* a nologin program, see nologin(8).
I don't like it, because it doesn't log the failed access. Here's my
replacement, which does:
~~~~~~~~~ nologin.c ~~~~~~~~~
/*
* nologin.c - a login shell for disabling users.
*
* Copyright (c) 1997 Softweyr LLC, South Jordan, Utah USA.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
*
* This product includes software developed by Softweyr LLC
*
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* This software is provided by Softweyr LLC ``as is'' and any express or
* implied warranties, including, but not limited to, the implied warranties
* of merchantability and fitness for a particular purpose are disclaimed.
* In no event shall Softweyr LLC or any contributors be liable for any
* direct, indirect, incidental, special, exemplary, or consequential
* damages (including, but not limited to, procurement of substitute goods
* or services; loss of use, data, or profits; or business interruption)
* however caused and on any theory of liability, whether in contract,
* strict liability, or tort (including negligence or otherwise) arising in
* any way out of the use of this software, even if advised of the
* possibility of such damage.
*
* Author: Wes Peters
* Date: Tue Jan 28 21:30:06 MST 1997
*/
#include <sys/types.h>
#include <unistd.h>
#include <syslog.h>
int
main(int argc,
char *argv[])
{
char *user, *device;
if ((user = getlogin()) == NULL)
user = "UNKNOWN";
if ((device = ttyname(0)) == NULL)
device = "UNKNOWN";
openlog("nologin", LOG_CONS, LOG_AUTH);
syslog(LOG_CRIT, "%s on %s", user, device);
closelog();
return 0;
}
~~~~~~~~~~ nologin.8 ~~~~~~~~~~
.\" nologin.c - a login shell for disabling users.
.\"
.\" Copyright (c) 1997 Softweyr LLC, South Jordan, Utah USA.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\"
.\" This product includes software developed by Softweyr LLC
.\"
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" This software is provided by Softweyr LLC ``as is'' and any express or
.\" implied warranties, including, but not limited to, the implied warranties
.\" of merchantability and fitness for a particular purpose are disclaimed.
.\" In no event shall Softweyr LLC or any contributors be liable for any
.\" direct, indirect, incidental, special, exemplary, or consequential
.\" damages (including, but not limited to, procurement of substitute goods
.\" or services; loss of use, data, or profits; or business interruption)
.\" however caused and on any theory of liability, whether in contract,
.\" strict liability, or tort (including negligence or otherwise) arising in
.\" any way out of the use of this software, even if advised of the
.\" possibility of such damage.
.\"
.\" Author: Wes Peters
.\" Date: Tue Jan 28 21:30:06 MST 1997
.TH nologin 1 "1 Jan 1997"
.SH NAME
nologin \- a login shell for disabled users
.SH SYNOPSIS
.B nologin
.SH DESCRIPTION
.B nologin
is a login shell for user accounts that have been disabled. It logs
the attempted login via the
.BR syslog (3)
mechanism, with an
.I ident
of
.B nologin
and a
.I facility
of
.BR LOG_AUTH .
Log entries will appear in the system log as:
.LP
.RS
Jan 28 21:36:54
.I hostname
nologin:
.I user
on
.I /dev/ttypX
.RE
.LP
Please note that you should
.B not
add the
.B nologin
program to the
.B /etc/shells
file, as you do not want users to accidentally set their shell to
.B nologin.
.SH AUTHOR
Wes Peters, Softweyr LLC: wes@softweyr.com
~~~~~~~~~~ end snip ~~~~~~~~~~
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35657CA6.D93AC10D>