Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Jul 1998 23:13:03 -0600 (MDT)
From:      Wes Peters <wes@softweyr.com>
To:        paulo@nlink.com.br, jer@jorsm.com
Cc:        tom@uniserve.com, freebsd-stable@FreeBSD.ORG
Subject:   Re: Finger and getpwent
Message-ID:  <199807140513.XAA13051@obie.softweyr.com>
In-Reply-To: <Pine.BSF.3.95q.980713142013.8764B-100000@mercury.jorsm.com>
References:  <Pine.BSF.3.95q.980713142013.8764B-100000@mercury.jorsm.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

My hidden microphone recorded Jeremy Shaffner (jer@jorsm.com) saying:

% On Fri, 10 Jul 1998, Paulo Fragoso wrote:
% 
% > 
% > But I'm using vipw to edit this files. I would like to leave coments in
% > /etc/master.passwd and /etc/passwd.
% > 
% > In /etc/master.passwd edited with vipw:
% > 
% > user1:(password):...
% > user2:(password):...
% > #user3:(password):...	> this users stopped logins temporarily
% > user4:(password):...
% > 
% 
% Bad form.  Instead place an asterisk '*' in front of their password:
% 
% user3:*Ka1Jbl2sowmOls:....

This is correct.  In the example above, all you have done is change
the name of 'user3' to '#user3', which isn't very secure.  A better
to stop all interactive logins is to change their shell to /sbin/nologin,
which will not allow them to login interactively.

A *somewhat* better solution is to use my nologin program, which logs
attempts to login to disabled accounts via syslog.  You can retrieve
both from

     ftp://ftp.xmission.com/pub/users/s/softweyr/pub/

You'll want nologin.c and nologin.8.  Compile nologin.c, put it in
/usr/sbin, and use it as the login shell for accounts you want disabled.
When someone attempts to login to your newly disabled account, you'll
get a message like:

     Jul 13 23:11:32 obie nologin: sam on /dev/ttyp1

in your system log.  You can add code to log watchers like daily and
weekly to watch for breakin attempts on disabled accounts if you're
feeling really secure.

--
       "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                 Softweyr LLC
http://www.softweyr.com/~softweyr                      wes@softweyr.com           




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807140513.XAA13051>