From owner-freebsd-stable Mon Jul 13 22:13:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA18892 for freebsd-stable-outgoing; Mon, 13 Jul 1998 22:13:43 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA18884 for ; Mon, 13 Jul 1998 22:13:40 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from obie.softweyr.com (zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with SMTP id XAA13051; Mon, 13 Jul 1998 23:13:03 -0600 (MDT) (envelope-from wes@softweyr.com) Date: Mon, 13 Jul 1998 23:13:03 -0600 (MDT) Message-Id: <199807140513.XAA13051@obie.softweyr.com> Subject: Re: Finger and getpwent From: Wes Peters To: paulo@nlink.com.br, jer@jorsm.com Cc: tom@uniserve.com, freebsd-stable@FreeBSD.ORG Reply-To: Wes Peters In-Reply-To: References: X-Priority: 3 (Normal) X-Mailer: BeatWare Mail-It 1.6 X-BeOS-Platform: Intel or clone Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id WAA18887 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG My hidden microphone recorded Jeremy Shaffner (jer@jorsm.com) saying: % On Fri, 10 Jul 1998, Paulo Fragoso wrote: % % > % > But I'm using vipw to edit this files. I would like to leave coments in % > /etc/master.passwd and /etc/passwd. % > % > In /etc/master.passwd edited with vipw: % > % > user1:(password):... % > user2:(password):... % > #user3:(password):... > this users stopped logins temporarily % > user4:(password):... % > % % Bad form. Instead place an asterisk '*' in front of their password: % % user3:*Ka1Jbl2sowmOls:.... This is correct. In the example above, all you have done is change the name of 'user3' to '#user3', which isn't very secure. A better to stop all interactive logins is to change their shell to /sbin/nologin, which will not allow them to login interactively. A *somewhat* better solution is to use my nologin program, which logs attempts to login to disabled accounts via syslog. You can retrieve both from ftp://ftp.xmission.com/pub/users/s/softweyr/pub/ You'll want nologin.c and nologin.8. Compile nologin.c, put it in /usr/sbin, and use it as the login shell for accounts you want disabled. When someone attempts to login to your newly disabled account, you'll get a message like: Jul 13 23:11:32 obie nologin: sam on /dev/ttyp1 in your system log. You can add code to log watchers like daily and weekly to watch for breakin attempts on disabled accounts if you're feeling really secure. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message