Date: Thu, 21 May 1998 23:22:48 -0400 (EDT) From: Mike Fisher <mfisher@harborcom.net> To: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <Pine.BSF.3.96.980521222333.262S-100000@d117-h041.rh.rit.edu> In-Reply-To: <199805212338.QAA05467@antipodes.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 May 1998, Mike Smith wrote: > If you wish to disable a user's account, you should set their shell to > something nonexistent. (Note that ssh may still be a way past this.) As is the login.conf(5) database, from what I can tell. If the disabled user drops in a .login_conf that sets the shell, it will work although they will need to modify their SHELL environmental variable if they're going to be doing much fun stuff. However, I just did some playing around with this on a 2.2.6-STABLE system and didn't seem to have any luck subverting the configured shell. (Read: assuming I configure .login_conf correctly, it is not being used correctly.) Setting the shell to /sbin/nologin does seem to do the trick; it doesn't let S/Key through and it doesn't seem to allow anything else through. With SSH, I was unable to do a login via RSA keys or password authentication with the shell set to /sbin/nologin. I'd assume that the .shosts authentication would also be effectively broken. Of course, this is an inelegant fix for people who have set up a nice shell substitute that allows choices like password changes or whatnot, but I would imagine that in a situation where the account was locked, a password change is a minimal priority for people. -- Mike "I swear - by my life and by my love of it - that I will never live for the sake of another man, nor ask another man to live for mine." --Ayn Rand, _Atlas Shrugged_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980521222333.262S-100000>