From owner-freebsd-security  Sat Mar  3  1:24:56 2001
Delivered-To: freebsd-security@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
	by hub.freebsd.org (Postfix) with ESMTP id 5FFA637B71C
	for <freebsd-security@freebsd.org>; Sat,  3 Mar 2001 01:24:53 -0800 (PST)
	(envelope-from wes@softweyr.com)
Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 14Z8S4-0000Du-00; Sat, 03 Mar 2001 02:35:48 -0700
Message-ID: <3AA0BAF4.B227DB5B@softweyr.com>
Date: Sat, 03 Mar 2001 02:35:48 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Roelof Osinga <roelof@eboa.com>
Cc: Matt Piechota <piechota@argolis.org>,
	Rob Simmons <rsimmons@wlcg.com>, George.Giles@mcmail.vanderbilt.edu,
	freebsd-security@FreeBSD.ORG
Subject: Re: ftp access
References: <Pine.BSF.4.31.0102281426470.457-100000@cithaeron.argolis.org> <3A9DF7C7.FF9361C2@eboa.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Roelof Osinga wrote:
> 
> Matt Piechota wrote:
> >
> > On Tue, 27 Feb 2001, Rob Simmons wrote:
> >
> > > /sbin/nologin as the user's shell.  You also have to add this shell to
> > > /etc/shells
> >
> > I though the idea of nologin was to deny access.  Wouldn't you want to
> > copy nologin to /sbin/ftponly (or something) and put that in /etc/shells?
> > That way you have 3 step: telnet+ftp (tcsh, bash, etc), ftp only
> > (/sbin/ftponly), and no access (/sbin/nologin).
> 
> Well, there is nologin and then there is nologin.
> 
> nisse:/usr/local/www# apropos nologin
> login_auth(3), -(3) - auth_checknologin, auth_cat authentication style support l
> ibrary for login class capabilities database
> nologin(5)               - disallow logins
> nologin(8)               - politely refuse a login

There is also no-login in ports/security, which behaves like nologin(8)
but does not disclose that logins are disabled on the account (leaving
you wondering if you guessed name or password wrong), and does log the
attempted access.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message