From owner-freebsd-questions  Wed Oct 24 19:39:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from topaz.mdcc.cx (topaz.mdcc.cx [212.204.230.141])
	by hub.freebsd.org (Postfix) with ESMTP id 89BB237B405
	for <freebsd-questions@FreeBSD.ORG>; Wed, 24 Oct 2001 19:39:10 -0700 (PDT)
Received: from k7.mavetju.org (topaz.mdcc.cx [212.204.230.141])
	by topaz.mdcc.cx (Postfix) with ESMTP
	id C8C2A2B72E; Thu, 25 Oct 2001 04:39:03 +0200 (CEST)
Received: by k7.mavetju.org (Postfix, from userid 1001)
	id A9CD912F; Thu, 25 Oct 2001 12:38:58 +1000 (EST)
Date: Thu, 25 Oct 2001 12:38:58 +1000
From: Edwin Groothuis <edwin@mavetju.org>
To: BSD Freak <bsd-freak@mbox.com.au>
Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: Which way is better to deny shell access
Message-ID: <20011025123858.I552@k7.mavetju.org>
Mail-Followup-To: Edwin Groothuis <edwin@mavetju.org>,
	BSD Freak <bsd-freak@mbox.com.au>,
	FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
References: <18f1ed818ec2ec.18ec2ec18f1ed8@mbox.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <18f1ed818ec2ec.18ec2ec18f1ed8@mbox.com.au>; from bsd-freak@mbox.com.au on Thu, Oct 25, 2001 at 12:20:16PM +1000
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, Oct 25, 2001 at 12:20:16PM +1000, BSD Freak wrote:
> Just wondering.... we have a whole heap of pop3 users... we deny them
> shell access by assigning their shell as /sbin/nologin ( the same shell
> as many of the system accounts)... however I noticed if I use the
> adduser utility to create a user with no shell, it assigns /nonexistent
> as their shell...... Which is better?

/sbin/nologin tells the user that there isn't a valid shell, after logging in.
/nonexistent will prevent logging in because the shell doesn't exist.

I think the second is better because it will not tell the user
(intruder, password guesser) that the password was correct.

Edwin

-- 
Edwin Groothuis   |              Personal website: http://www.MavEtJu.org
edwin@mavetju.org |           Interested in MUDs? Visit Fatal Dimensions:
------------------+                       http://www.FatalDimensions.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message