Date: Thu, 27 Jan 2000 19:08:04 +0100 (MET) From: Marc SCHAEFER <schaefer@alphanet.ch> To: The Mad Scientist <madscientist@thegrid.net> Cc: freebsd-security@freebsd.org Subject: Re: sshd and pop/ftponly users incorrect configuration Message-ID: <Pine.LNX.4.10.10001271906030.24945-100000@vulcan.alphanet.ch> In-Reply-To: <4.1.20000127001817.00938470@mail.thegrid.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Jan 2000, The Mad Scientist wrote: > > - no user which has an account hasn't a shell (he will be able > > to do the above, except the root@ IDENT, anyway, if he has a shell) > > This line is a little confusing to me. Do you mean every user with an > account has no shell? What do you mean by account? (pop?) And who is 'he'? If the user has a shell (e.g. bash, tcsh), he can connect to any host on the Internet anyway (unless some socket restrictions were set up, I don't know if this is available in FreeBSD). The only difference is that he won't be able to fake the IDENT. If he has /bin/false as shell (ie he hasn't a shell, but accessed POP and/or FTP), he can issue TCP connections appearing from the host unless DenyGroups or other security steps are taken. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.10001271906030.24945-100000>