Date: Fri, 4 Jan 2002 07:43:49 -0500 From: Michael Lucas <mwlucas@blackhelicopters.org> To: =?iso-8859-1?Q?=E4=CD=C9=D4=D2=C9=CA_=F0=CF=C4=CB=CF=D2=D9=D4=CF=D7?= <podkorytov@mail.ru> Cc: freebsd-security@FreeBSD.ORG Subject: Re: nologin hole? Message-ID: <20020104074349.A5042@blackhelicopters.org> In-Reply-To: <E16MLol-000FEJ-00@f8.mail.ru>; from podkorytov@mail.ru on Fri, Jan 04, 2002 at 07:18:55AM %2B0300 References: <E16MLol-000FEJ-00@f8.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, I would recommend not using nologin as the users' shell. Instead, take a look at /etc/login.access. This makes the shell irrelevant; the user cannot log in, in any shell. Generally, my sysadmins are in a "sysadmin" group. The "sysadmin" group is allowed to log in from anywhere. All other users are denied login. There's an article on this in my column archives, if you want a point-by-point walkthrough. Good luck! ==ml On Fri, Jan 04, 2002 at 07:18:55AM +0300, Дмитрий Подкорытов wrote: > Maybe this result my paranoya. ;-) > And maybe not. Very posible You can extract use from this. > In Free BSD I'am found, that user with disabled terminal entering has login > shell named 'nologin'. > This is sh script: > ==================================================== > #!/bin/sh -p > # ... > # ... > echo 'This account is currently not available.' > exit 1 > ==================================================== > My mind about this: > 1. In case of breaking this script user has root access to system. (See man > sh, key -p ) 2. Password maybe 'viewed' any network analyser in time of users > pop3 session with server.(As rule password crypting not use in POP3) 3. Also > password maybe hacked bruteforce attack on POP3 daemon. For sucsessful attack > on this manner You can append some code to You telnet/ssh for > manage connection speed on fly.Or try use tcpwrapper for this. Setup connection > speed = 1 boud. Begin telnet/ssh session .Specify user name and password,break > nologin. After succsess setup connection speed as You whishes and work under > root permission. Solution for protect from this attack:install this programm. > For install > just make install. You may use this in silence mode. Then compile with > -DSILENCE_MODE key. Program distributed on GPL as is. Without any guarantees. > At URL: http://org.zaural.ru You can find some usefull programs. My best > wishes. Dmitry Podkorytov. > E-mail:podkorytov@mail.ru PS:on FreeBSD v.4.1 ps -x not viewed programms, thats > running code function Exit(), called from atexit(Exit). > It Bug ? I used top command for view PID NoLogin. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org my FreeBSD column: http://www.oreillynet.com/pub/q/Big_Scary_Daemons http://www.blackhelicopters.org/~mwlucas/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020104074349.A5042>