From owner-freebsd-security Tue Jun 18 18:33:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id B5A6037B401 for ; Tue, 18 Jun 2002 18:33:45 -0700 (PDT) Received: from user-2inivba.dialup.mindspring.com ([165.121.125.106] helo=earthlink.net) by harrier.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17KULn-0004AK-00; Tue, 18 Jun 2002 18:33:35 -0700 Message-ID: <3D0FDF77.8020703@earthlink.net> Date: Tue, 18 Jun 2002 18:33:43 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fernando Gleiser Cc: Alex Michlin , freebsd-security@FreeBSD.ORG Subject: Re: Disable Login References: <20020618175353.F68133-100000@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fernando Gleiser wrote: > On Tue, 18 Jun 2002, Alex Michlin wrote: > > >>I remember seeing a FreeBSD advisory on a bug in login. Now, for the >>real story... What is behind this is: I just downloaded the latest Saint >>version and ran it against a server. It said there login was vunerable. >>I'm not sure how it knows if there is a bug or just information (but it is >>listed under the critical section). > > > saint checks wheter the login *service* (512/tcp, a.k.a rlogin) is runing, > it doesn't check for vulnerabilities in the login *program* (/usr/bin/login) > > rlogin is insecure because it sends everyting in cleartext and may be > vulnerable to ip spoofing if you use .rhosts for authentication. > Just coment it out in inetd.conf and use ssh instead. > > > Fer > > >>Thanks again, >> >>Alex >> >>On Tue, 18 Jun 2002, Eric F Crist wrote: >> >> >>>What kind of a bug in login are you seeing? If you completely disable >>>the login utility, you would not be able to logon locally, which could >>>make an upgrade difficult. If you simply want to disable logon for >>>specific users, simply set their shell to /etc/nologin or some other >>>non-existent file/shell. >>> >>>HTH >>> >>>Eric F Crist >>>President/Sys Admin >>>AdTech Integrated Systems, Inc >>>http://www.adtechintegrated.com >>> >>> >>>-----Original Message----- >>>From: owner-freebsd-security@FreeBSD.ORG >>>[mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex Michlin >>>Sent: Tuesday, June 18, 2002 2:23 PM >>>To: freebsd-security@FreeBSD.ORG >>>Subject: Disable Login >>> >>>I have a FreeBSD 4.2 server with a bug in login. I cannot reboot the >>>server to upgrade the os (make world...). As a temporary fix, can I >>>chmod >>>000 logon or possibly even remove it completely? Should everything >>>function correctly? (OpenSSH mainly)? >>> You can disable Login being used by ssh...edit the /etc/ssh/sshd_config file UseLogin must be set to no. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message