Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Jun 2002 18:33:43 -0700
From:      Lawrence Sica <lomifeh@earthlink.net>
To:        Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
Cc:        Alex Michlin <alex@delete.org>, freebsd-security@FreeBSD.ORG
Subject:   Re: Disable Login
Message-ID:  <3D0FDF77.8020703@earthlink.net>
References:  <20020618175353.F68133-100000@localhost>
index | next in thread | previous in thread | raw e-mail 

Fernando Gleiser wrote:
> On Tue, 18 Jun 2002, Alex Michlin wrote:
> 
> 
>>I remember seeing a FreeBSD advisory on a bug in login.  Now, for the
>>real story... What is behind this is: I just downloaded the latest Saint
>>version and ran it against a server.  It said there login was vunerable.
>>I'm not sure how it knows if there is a bug or just information (but it is
>>listed under the critical section).
> 
> 
> saint checks wheter the login *service* (512/tcp, a.k.a rlogin) is runing,
> it doesn't check for vulnerabilities in the login *program* (/usr/bin/login)
> 
> rlogin is insecure because it sends everyting in cleartext and may be
> vulnerable to ip spoofing if you use .rhosts for authentication.
> Just coment it out in inetd.conf and use ssh instead.
> 
> 
> 			Fer
> 
> 
>>Thanks again,
>>
>>Alex
>>
>>On Tue, 18 Jun 2002, Eric F Crist wrote:
>>
>>
>>>What kind of a bug in login are you seeing?  If you completely disable
>>>the login utility, you would not be able to logon locally, which could
>>>make an upgrade difficult.  If you simply want to disable logon for
>>>specific users, simply set their shell to /etc/nologin or some other
>>>non-existent file/shell.
>>>
>>>HTH
>>>
>>>Eric F Crist
>>>President/Sys Admin
>>>AdTech Integrated Systems, Inc
>>>http://www.adtechintegrated.com
>>>
>>>
>>>-----Original Message-----
>>>From: owner-freebsd-security@FreeBSD.ORG
>>>[mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex Michlin
>>>Sent: Tuesday, June 18, 2002 2:23 PM
>>>To: freebsd-security@FreeBSD.ORG
>>>Subject: Disable Login
>>>
>>>I have a FreeBSD 4.2 server with a bug in login.  I cannot reboot the
>>>server to upgrade the os (make world...).  As a temporary fix, can I
>>>chmod
>>>000 logon or possibly even remove it completely?  Should everything
>>>function correctly? (OpenSSH mainly)?
>>>

You can disable Login being used by ssh...edit the /etc/ssh/sshd_config 
file UseLogin must be set to no.


--Larry


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D0FDF77.8020703>