Date: Sat, 03 Mar 2001 02:35:48 -0700 From: Wes Peters <wes@softweyr.com> To: Roelof Osinga <roelof@eboa.com> Cc: Matt Piechota <piechota@argolis.org>, Rob Simmons <rsimmons@wlcg.com>, George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <3AA0BAF4.B227DB5B@softweyr.com> References: <Pine.BSF.4.31.0102281426470.457-100000@cithaeron.argolis.org> <3A9DF7C7.FF9361C2@eboa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Roelof Osinga wrote:
>
> Matt Piechota wrote:
> >
> > On Tue, 27 Feb 2001, Rob Simmons wrote:
> >
> > > /sbin/nologin as the user's shell. You also have to add this shell to
> > > /etc/shells
> >
> > I though the idea of nologin was to deny access. Wouldn't you want to
> > copy nologin to /sbin/ftponly (or something) and put that in /etc/shells?
> > That way you have 3 step: telnet+ftp (tcsh, bash, etc), ftp only
> > (/sbin/ftponly), and no access (/sbin/nologin).
>
> Well, there is nologin and then there is nologin.
>
> nisse:/usr/local/www# apropos nologin
> login_auth(3), -(3) - auth_checknologin, auth_cat authentication style support l
> ibrary for login class capabilities database
> nologin(5) - disallow logins
> nologin(8) - politely refuse a login
There is also no-login in ports/security, which behaves like nologin(8)
but does not disclose that logins are disabled on the account (leaving
you wondering if you guessed name or password wrong), and does log the
attempted access.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AA0BAF4.B227DB5B>