Date: Thu, 21 May 1998 23:22:48 -0400 (EDT) From: Mike Fisher <mfisher@harborcom.net> To: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account Message-ID: <Pine.BSF.3.96.980521222333.262S-100000@d117-h041.rh.rit.edu> In-Reply-To: <199805212338.QAA05467@antipodes.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 May 1998, Mike Smith wrote:
> If you wish to disable a user's account, you should set their shell to
> something nonexistent. (Note that ssh may still be a way past this.)
As is the login.conf(5) database, from what I can tell. If the disabled
user drops in a .login_conf that sets the shell, it will work although
they will need to modify their SHELL environmental variable if they're
going to be doing much fun stuff.
However, I just did some playing around with this on a 2.2.6-STABLE system
and didn't seem to have any luck subverting the configured shell. (Read:
assuming I configure .login_conf correctly, it is not being used
correctly.)
Setting the shell to /sbin/nologin does seem to do the trick; it doesn't
let S/Key through and it doesn't seem to allow anything else through.
With SSH, I was unable to do a login via RSA keys or password
authentication with the shell set to /sbin/nologin. I'd assume that the
.shosts authentication would also be effectively broken.
Of course, this is an inelegant fix for people who have set up a nice
shell substitute that allows choices like password changes or whatnot, but
I would imagine that in a situation where the account was locked, a
password change is a minimal priority for people.
--
Mike
"I swear - by my life and by my love of it - that I will never live
for the sake of another man, nor ask another man to live for mine."
--Ayn Rand, _Atlas Shrugged_
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980521222333.262S-100000>