From owner-freebsd-security Sun Jan 16 14:14:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id 80A9515162 for ; Sun, 16 Jan 2000 14:14:18 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 76716 invoked from network); 16 Jan 2000 17:16:25 -0000 Received: from hydrant.intranova.net (user91211@209.201.95.10) by blacklisted.intranova.net with SMTP; 16 Jan 2000 17:16:25 -0000 Date: Sun, 16 Jan 2000 17:11:36 -0500 (EST) From: Omachonu Ogali To: Dan Harnett Cc: freebsd-security@freebsd.org Subject: Re: Disallow remote login by regular user. In-Reply-To: <20000116211455.63CE65D07D@mail.wzrd.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the correction. :) Omachonu Ogali Intranova Networking Group On Sun, 16 Jan 2000, Dan Harnett wrote: > > Once again...make the login shell nonexistant, so if an attacker manages > > to get the password to that account they get no visual notice that they > > have the correct password for that account. > > I'm not sure where you got that information from, but it appears to be > incorrect. Unless .hushlogin exists and/or the hushlogin capability has been > specified for that user, the copyright message, last login, and motd will still > be displayed. And you will get a similiar message as the following: > > login: /nonexistent: No such file or directory > > As a note, just leaving the shell blank won't solve that either. > > That would be visual notice in my book. /sbin/nologin is a Bourne shell script. > The message it prints can be changed to 'Login incorrect.'. Also the .hushlogin > file can be put into this user's home directory. That way no motd or anything > will be printed. You'll notice that doesn't quite give the normal behavior > either. > > Dan Harnett > > > Omachonu Ogali > > Intranova Networking Group > > > > On Sat, 15 Jan 2000, Crist J. Clark wrote: > > > > > Dan Harnett wrote, > > > > Hello, > > > > > > > > You could also set this particular user's shell to /sbin/nologin and make the > > > > others use the -m option to su. > > > > > > But if you do this, remember, > > > > > > -m Leave the environment unmodified. The invoked shell is your lo- > > > gin shell, and no directory changes are made. As a security pre- > > > caution, if the target user's shell is a non-standard shell (as > > > defined by getusershell(3)) and the caller's real uid is non-ze- > > > ro, su will fail. > > > > > > You have to add '/sbin/nologin' to /etc/shells. > > > -- > > > Crist J. Clark cjclark@home.com > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message