From owner-freebsd-security Thu Jan 27 10: 8:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from vulcan.alphanet.ch (sitebco-home-5-17.urbanet.ch [194.38.85.209]) by hub.freebsd.org (Postfix) with ESMTP id 5B9D5156A5 for ; Thu, 27 Jan 2000 10:08:16 -0800 (PST) (envelope-from schaefer@alphanet.ch) Received: from localhost (schaefer@localhost) by vulcan.alphanet.ch (8.9.3/8.9.3) with ESMTP id TAA24974; Thu, 27 Jan 2000 19:08:04 +0100 Date: Thu, 27 Jan 2000 19:08:04 +0100 (MET) From: Marc SCHAEFER To: The Mad Scientist Cc: freebsd-security@freebsd.org Subject: Re: sshd and pop/ftponly users incorrect configuration In-Reply-To: <4.1.20000127001817.00938470@mail.thegrid.net> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Jan 2000, The Mad Scientist wrote: > > - no user which has an account hasn't a shell (he will be able > > to do the above, except the root@ IDENT, anyway, if he has a shell) > > This line is a little confusing to me. Do you mean every user with an > account has no shell? What do you mean by account? (pop?) And who is 'he'? If the user has a shell (e.g. bash, tcsh), he can connect to any host on the Internet anyway (unless some socket restrictions were set up, I don't know if this is available in FreeBSD). The only difference is that he won't be able to fake the IDENT. If he has /bin/false as shell (ie he hasn't a shell, but accessed POP and/or FTP), he can issue TCP connections appearing from the host unless DenyGroups or other security steps are taken. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message