Date: Thu, 27 Jan 2000 18:46:49 -0800 From: The Mad Scientist <madscientist@thegrid.net> To: Marc SCHAEFER <schaefer@alphanet.ch> Cc: freebsd-security@freebsd.org Subject: Re: sshd and pop/ftponly users incorrect configuration Message-ID: <4.1.20000127184450.0095b390@mail.thegrid.net> In-Reply-To: <Pine.LNX.4.10.10001271906030.24945-100000@vulcan.alphanet.ch> References: <4.1.20000127001817.00938470@mail.thegrid.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:08 PM 1/27/00 +0100, you wrote: >On Thu, 27 Jan 2000, The Mad Scientist wrote: > >> > - no user which has an account hasn't a shell (he will be able >> > to do the above, except the root@ IDENT, anyway, if he has a shell) >> >> This line is a little confusing to me. Do you mean every user with an >> account has no shell? What do you mean by account? (pop?) And who is 'he'? > >If the user has a shell (e.g. bash, tcsh), he can connect to any host on >the Internet anyway (unless some socket restrictions were set up, I don't >know if this is available in FreeBSD). The only difference is that he >won't be able to fake the IDENT. > >If he has /bin/false as shell (ie he hasn't a shell, but accessed POP >and/or FTP), he can issue TCP connections appearing from the host unless >DenyGroups or other security steps are taken. Thanks. So if I understand you correctly, if the user has no shell on the system, they will only be able to fake their ident, yes? -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.20000127184450.0095b390>