From owner-freebsd-security Thu Jan 27 18:51:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta1.snfc21.pbi.net (mta1.snfc21.pbi.net [206.13.28.122]) by hub.freebsd.org (Postfix) with ESMTP id 229D914DCB for ; Thu, 27 Jan 2000 18:51:33 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta1.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FP0007VDYIEJ8@mta1.snfc21.pbi.net> for freebsd-security@freebsd.org; Thu, 27 Jan 2000 18:49:27 -0800 (PST) Date: Thu, 27 Jan 2000 18:46:49 -0800 From: The Mad Scientist Subject: Re: sshd and pop/ftponly users incorrect configuration In-reply-to: X-Sender: i289861@mail.thegrid.net To: Marc SCHAEFER Cc: freebsd-security@freebsd.org Message-id: <4.1.20000127184450.0095b390@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" References: <4.1.20000127001817.00938470@mail.thegrid.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:08 PM 1/27/00 +0100, you wrote: >On Thu, 27 Jan 2000, The Mad Scientist wrote: > >> > - no user which has an account hasn't a shell (he will be able >> > to do the above, except the root@ IDENT, anyway, if he has a shell) >> >> This line is a little confusing to me. Do you mean every user with an >> account has no shell? What do you mean by account? (pop?) And who is 'he'? > >If the user has a shell (e.g. bash, tcsh), he can connect to any host on >the Internet anyway (unless some socket restrictions were set up, I don't >know if this is available in FreeBSD). The only difference is that he >won't be able to fake the IDENT. > >If he has /bin/false as shell (ie he hasn't a shell, but accessed POP >and/or FTP), he can issue TCP connections appearing from the host unless >DenyGroups or other security steps are taken. Thanks. So if I understand you correctly, if the user has no shell on the system, they will only be able to fake their ident, yes? -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message