From owner-freebsd-security Tue Jun 18 14:11:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 16C5D37B407 for ; Tue, 18 Jun 2002 14:11:14 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by cactus.fi.uba.ar (8.11.6/8.11.6) with ESMTP id g5IL8rQ69019; Tue, 18 Jun 2002 18:09:00 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 18 Jun 2002 18:08:53 -0300 (ART) From: Fernando Gleiser X-X-Sender: To: Alex Michlin Cc: Subject: RE: Disable Login In-Reply-To: Message-ID: <20020618175353.F68133-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Jun 2002, Alex Michlin wrote: > I remember seeing a FreeBSD advisory on a bug in login. Now, for the > real story... What is behind this is: I just downloaded the latest Saint > version and ran it against a server. It said there login was vunerable. > I'm not sure how it knows if there is a bug or just information (but it is > listed under the critical section). saint checks wheter the login *service* (512/tcp, a.k.a rlogin) is runing, it doesn't check for vulnerabilities in the login *program* (/usr/bin/login) rlogin is insecure because it sends everyting in cleartext and may be vulnerable to ip spoofing if you use .rhosts for authentication. Just coment it out in inetd.conf and use ssh instead. Fer > > Thanks again, > > Alex > > On Tue, 18 Jun 2002, Eric F Crist wrote: > > > What kind of a bug in login are you seeing? If you completely disable > > the login utility, you would not be able to logon locally, which could > > make an upgrade difficult. If you simply want to disable logon for > > specific users, simply set their shell to /etc/nologin or some other > > non-existent file/shell. > > > > HTH > > > > Eric F Crist > > President/Sys Admin > > AdTech Integrated Systems, Inc > > http://www.adtechintegrated.com > > > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex Michlin > > Sent: Tuesday, June 18, 2002 2:23 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: Disable Login > > > > I have a FreeBSD 4.2 server with a bug in login. I cannot reboot the > > server to upgrade the os (make world...). As a temporary fix, can I > > chmod > > 000 logon or possibly even remove it completely? Should everything > > function correctly? (OpenSSH mainly)? > > > > TIA, > > > > Alex > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message