From owner-freebsd-security Wed Feb 28 9:48:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 95D5237B718 for ; Wed, 28 Feb 2001 09:48:41 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA17635; Wed, 28 Feb 2001 10:47:43 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA13402; Wed, 28 Feb 2001 10:46:41 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15005.14720.989013.390180@nomad.yogotech.com> Date: Wed, 28 Feb 2001 10:46:40 -0700 (MST) To: Paul Herman Cc: Steve Reid , Brooks Davis , Rob Simmons , , Subject: Re: ssh -t /bin/sh trick (was Re: ftp access) In-Reply-To: References: <20010227202145.A31471@grok.bc.hsia.telus.net> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > If you do this be sure to keep users from being able to access the system > > > via ssh. Otherwise they can just use ssh to spawn a shell for themselves: > > > ssh -t /bin/sh > > > > Are you certain about this? > > > > I tried this on a 4.1.1-R box I operate and it didn't let me in. The > > box is set up with the ftp login shell set to "/nonexistent/ftponly", > > which is listed in /etc/shells but does not exist. > > This behaviour has changed over the years, which is why there are two > conflicting reports. > > I remember the days (FreeBSD 2.2.6, or so, using ssh from ssh.com) of > having to write a small script in /etc/sshrc which checks for invalid > shells to prevent what Brooks was describing. Back then, it *did* > work. Strange. I'm using an older setup (2.2.8 client, 3.4 server), both using SSH.com software, and it doesn't work. You have me worried for a moment.. :) > Now (at least with OpenSSH_2_3_0), that trick doesn't work anymore. > Don't know when/where/in which version this changed, but my inkling is > that PAM is the culprit. I'm not use OpenSSH and/or PAM with SSH on my box, and it doesn't work. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message