Date: Sun, 16 Jan 2000 16:14:55 -0500 (EST) From: danh@wzrd.com (Dan Harnett) To: oogali@intranova.net (Omachonu Ogali) Cc: freebsd-security@freebsd.org Subject: Re: Disallow remote login by regular user. Message-ID: <20000116211455.63CE65D07D@mail.wzrd.com> In-Reply-To: <Pine.BSF.4.10.10001161255170.78224-100000@hydrant.intranova.net> from Omachonu Ogali at "Jan 16, 2000 12:56:38 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Once again...make the login shell nonexistant, so if an attacker manages > to get the password to that account they get no visual notice that they > have the correct password for that account. I'm not sure where you got that information from, but it appears to be incorrect. Unless .hushlogin exists and/or the hushlogin capability has been specified for that user, the copyright message, last login, and motd will still be displayed. And you will get a similiar message as the following: login: /nonexistent: No such file or directory As a note, just leaving the shell blank won't solve that either. That would be visual notice in my book. /sbin/nologin is a Bourne shell script. The message it prints can be changed to 'Login incorrect.'. Also the .hushlogin file can be put into this user's home directory. That way no motd or anything will be printed. You'll notice that doesn't quite give the normal behavior either. Dan Harnett > Omachonu Ogali > Intranova Networking Group > > On Sat, 15 Jan 2000, Crist J. Clark wrote: > > > Dan Harnett wrote, > > > Hello, > > > > > > You could also set this particular user's shell to /sbin/nologin and make the > > > others use the -m option to su. > > > > But if you do this, remember, > > > > -m Leave the environment unmodified. The invoked shell is your lo- > > gin shell, and no directory changes are made. As a security pre- > > caution, if the target user's shell is a non-standard shell (as > > defined by getusershell(3)) and the caller's real uid is non-ze- > > ro, su will fail. > > > > You have to add '/sbin/nologin' to /etc/shells. > > -- > > Crist J. Clark cjclark@home.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000116211455.63CE65D07D>