Date: Sun, 16 Jan 2000 21:48:39 -0500 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Omachonu Ogali <oogali@intranova.net> Cc: Jonathan Fortin <jonf@revelex.com>, cjclark@home.com, Dan Harnett <danh@wzrd.com>, Nicholas Brawn <ncb@zip.com.au>, freebsd-security@FreeBSD.ORG Subject: Re: Disallow remote login by regular user. Message-ID: <20000116214839.A60295@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <Pine.BSF.4.10.10001161256500.78224-100000@hydrant.intranova.net>; from oogali@intranova.net on Sun, Jan 16, 2000 at 12:58:05PM -0500 References: <Pine.BSO.4.21.0001151751410.2416-100000@revelex.com> <Pine.BSF.4.10.10001161256500.78224-100000@hydrant.intranova.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 16, 2000 at 12:58:05PM -0500, Omachonu Ogali wrote: > If you add it to /etc/shells then it allows an user to login via FTP since > the FTP daemon checks to see if the users shell returned by > getpwnam()/getpwuid() exists in /etc/shells, if it does then it allows a > successful connection/login, and this is what he wants to prevent. Yep. You then need to add the user to /etc/ftpusers (if ftp is enabled at all). But whatever shell you give the account, it does need to be in /etc/shells for non-root users to su to it, which is how the original poster wanted people to gain access. > On Sat, 15 Jan 2000, Jonathan Fortin wrote: > > > > > Hello, > > > > You could also set the users shell to /bin/false and add it in /etc/shells > > and use the -m option. > > > > > > jonf@revelex.com > > > > On Sat, 15 Jan 2000, Crist J. Clark wrote: > > > > > Dan Harnett wrote, > > > > Hello, > > > > > > > > You could also set this particular user's shell to /sbin/nologin and make the > > > > others use the -m option to su. > > > > > > But if you do this, remember, > > > > > > -m Leave the environment unmodified. The invoked shell is your lo- > > > gin shell, and no directory changes are made. As a security pre- > > > caution, if the target user's shell is a non-standard shell (as > > > defined by getusershell(3)) and the caller's real uid is non-ze- > > > ro, su will fail. > > > > > > You have to add '/sbin/nologin' to /etc/shells. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000116214839.A60295>