From owner-freebsd-questions Wed Oct 24 23:52:54 2001 Delivered-To: freebsd-questions@freebsd.org Received: from indigo.quadrant.net (indigo.quadrant.net [207.195.92.9]) by hub.freebsd.org (Postfix) with ESMTP id E7FCF37B403 for ; Wed, 24 Oct 2001 23:52:50 -0700 (PDT) Received: from git2000 (h24-71-180-125.ss.shawcable.net [24.71.180.125]) by indigo.quadrant.net (8.9.1/8.9.1) with SMTP id AAA08195; Thu, 25 Oct 2001 00:52:44 -0600 (CST) From: "Scott Gerhardt" To: "Edwin Groothuis" Cc: "FreeBSD" Subject: RE: Which way is better to deny shell access Date: Thu, 25 Oct 2001 01:03:34 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20011025123858.I552@k7.mavetju.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This may be a better solution: Put the following in your /etc/access.login file -:ALL EXCEPT wheel:ALL This will disable everyone except wheel to login. Add other users or groups you want to allow login access after "wheel" separated by spaces. Putting nonexistent or nologin for shell in /etc/passwd doesn't hurt either. You may need a valid shell for ftp users though. Just add them to /etc/shells Well I'm on the topic of restricting access, It is a good idea to group users i.e. put all the POP3 users in a group (i.e. pop3client). Then for example, you can easily deny ftp access to all POP3 users by adding @pop3client to /etc/ftpusers. It is late at night and my eyes are dreary so if I have made any mistakes here please correct them. I would hate to give out incorrect security information. Regards, _________________________________ Scott Gerhardt, P.Geo. Gerhardt Information Technologies _________________________________ > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Edwin > Groothuis > Sent: October 24, 2001 8:39 PM > To: BSD Freak > Cc: FreeBSD Questions > Subject: Re: Which way is better to deny shell access > > > On Thu, Oct 25, 2001 at 12:20:16PM +1000, BSD Freak wrote: > > Just wondering.... we have a whole heap of pop3 users... we deny them > > shell access by assigning their shell as /sbin/nologin ( the > same shell > > as many of the system accounts)... however I noticed if I use the > > adduser utility to create a user with no shell, it assigns > /nonexistent > > as their shell...... Which is better? > > /sbin/nologin tells the user that there isn't a valid shell, > after logging in. > /nonexistent will prevent logging in because the shell doesn't exist. > > I think the second is better because it will not tell the user > (intruder, password guesser) that the password was correct. > > Edwin > > -- > Edwin Groothuis | Personal website: http://www.MavEtJu.org edwin@mavetju.org | Interested in MUDs? Visit Fatal Dimensions: ------------------+ http://www.FatalDimensions.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message