From owner-freebsd-questions@FreeBSD.ORG Thu Dec 11 07:10:25 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F41151065672 for ; Thu, 11 Dec 2008 07:10:24 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (prime.gushi.org [72.9.101.130]) by mx1.freebsd.org (Postfix) with ESMTP id BE3E78FC08 for ; Thu, 11 Dec 2008 07:10:24 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (localhost [127.0.0.1]) by prime.gushi.org (8.14.1/8.14.1) with ESMTP id mBB7ACDL088182 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 11 Dec 2008 02:10:14 -0500 (EST) (envelope-from danm@prime.gushi.org) X-DKIM: Sendmail DKIM Filter v2.7.2 prime.gushi.org mBB7ACDL088182 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=prime.gushi.org; s=primegushiorg; t=1228962876; bh=7dgi1HOhUhmG8lVAnPHbyUd9wvBUW02yJ 1nuq7TSmrM=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID: References:MIME-Version:Content-Type; b=SF0mfCNlLLwhx5lAZn9VwNowIA t19mTyns4gGqD82EkzEp9IJU/zZPtdpeRWjFB3Xq/vzhwdLMtlM+vHLXGkKA== X-DomainKeys: Sendmail DomainKeys Filter v1.0.0 prime.gushi.org mBB7ACDL088182 DomainKey-Signature: a=rsa-sha1; s=primegushiorg; d=prime.gushi.org; c=nofws; q=dns; h=received:date:from:to:cc:subject:in-reply-to:message-id: references:user-agent:x-openpgp-key-id:mime-version:content-type; b=ZBseIeYJjJ6kzNqn9USns2iIIXG3FfR/Jx6bdwAcuzbzXOPVEkDvYhw8FNSOo8ywA YAM4xjVXqoYd8iP99kl8Q== Received: (from danm@localhost) by prime.gushi.org (8.14.1/8.14.1/Submit) id mBB7AA1I088173; Thu, 11 Dec 2008 02:10:10 -0500 (EST) (envelope-from danm) Date: Thu, 11 Dec 2008 02:10:09 -0500 (EST) From: "Dan Mahoney, System Admin" To: Dan Nelson In-Reply-To: <20081210191617.GD82227@dan.emsphone.com> Message-ID: References: <20081210160222.GB82227@dan.emsphone.com> <20081210191617.GD82227@dan.emsphone.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-ID: 0x624BB249 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (prime.gushi.org [127.0.0.1]); Thu, 11 Dec 2008 02:34:37 +0000 (UTC) Cc: questions@freebsd.org Subject: Re: How to block NIS logins via ssh? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2008 07:10:25 -0000 On Wed, 10 Dec 2008, Dan Nelson wrote: > In the last episode (Dec 10), Dan Mahoney, System Admin said: >> On Wed, 10 Dec 2008, Dan Nelson wrote: >>> In the last episode (Dec 10), Dan Mahoney, System Admin said: >>>> I'm noticing that when following the directions given here: >>>> >>>> http://www.freebsd.org/doc/en/books/handbook/network-nis.html >>>> >>>> For how to disable logins, the recommended action is to set the shell to >>>> /sbin/nologin. >>>> >>>> However, this is sloppy as it allows the user to log in, get the >>>> motd, do everything short of getting a shell. >>>> >>>> I've tried starring out the password in the +::::::::: entry, (and >>>> putting in a "bad" password, like x), and those don't seem to >>>> work. I am still able to connect via sshd and prove that the >>>> account works. >>> >>> By default, the passwd field is ignored in an NIS + or - line. It >>> looks like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will >>> get the behaviour you're looking for (see the compat_set_template >>> function in src/lib/libc/gen/getpwent.c). >> >> Okay, let's look at it from an alternate tack then -- what else renders an >> account invalid? >> >> Is there a pam knob to check /etc/shells? Or an sshd option? > > There's a pam_exec module which launches a program of your choice. You > could look up the user's shell from there using whatever script you're > comfortable with. Or, if all your NIS users are members of a certain > group, you could use the pam_group module to deny them. > >> I found these: >> >> http://osdir.com/ml/linux.admin.managers/2003-08/msg00016.html >> >> for a user who had a similar problem, but freebsd doesn't appear to have >> the requisite module. This could also be implemented as an option to >> pam_unix (which could check either /etc/shells or the NIS equivalent, >> since it already has the NIS hooks.) > > It looks like our pam_unix module has a "local_pass" option, whch > claims to disallow NIS logins. Have you tried that? No, I'm using netgroups -- i.e. allow one user (or, rather, allow the @STAFF group, import the whole map, disallow the rest from logging in.) Actually, I just found the answer to this...instead of putting "nologin" in, put in something bogus (I'm using /nonexistent)...and the password will just loop. This is something sshd does internally. Given, there's several solutions to this: 1) The Kluge as above. 2) A pam module to check /etc/group (this is standard login behavior, and historically supported, and available on other platforms, adding a module, even to ports, is trivial. 3) A patch to openssh to do /etc/shells checking (I'll note that openSSH has the "UseLogin" option, which may also do this. 4) An option to pam_unix to check this. Differs from #2 in that it's a change to an existing module instead of one in ports. -Dan -- "The first annual 5th of July party...have you been invited?" "It's a Jack Party." "Okay, so Long Island's been invited." --Cali and Gushi, 6/23/02 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------