From owner-freebsd-security Sun Jan 16 9:59:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id B747A14FC9 for ; Sun, 16 Jan 2000 09:59:19 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 20370 invoked from network); 16 Jan 2000 13:01:27 -0000 Received: from hydrant.intranova.net (user93341@209.201.95.10) by blacklisted.intranova.net with SMTP; 16 Jan 2000 13:01:27 -0000 Date: Sun, 16 Jan 2000 12:56:38 -0500 (EST) From: Omachonu Ogali To: cjclark@home.com Cc: Dan Harnett , Nicholas Brawn , freebsd-security@FreeBSD.ORG Subject: Re: Disallow remote login by regular user. In-Reply-To: <200001152233.RAA53004@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Once again...make the login shell nonexistant, so if an attacker manages to get the password to that account they get no visual notice that they have the correct password for that account. Omachonu Ogali Intranova Networking Group On Sat, 15 Jan 2000, Crist J. Clark wrote: > Dan Harnett wrote, > > Hello, > > > > You could also set this particular user's shell to /sbin/nologin and make the > > others use the -m option to su. > > But if you do this, remember, > > -m Leave the environment unmodified. The invoked shell is your lo- > gin shell, and no directory changes are made. As a security pre- > caution, if the target user's shell is a non-standard shell (as > defined by getusershell(3)) and the caller's real uid is non-ze- > ro, su will fail. > > You have to add '/sbin/nologin' to /etc/shells. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message