From owner-freebsd-security  Thu Nov 16 22:52:37 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 443B137B4C5
	for <security@freebsd.org>; Thu, 16 Nov 2000 22:52:34 -0800 (PST)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Thu, 16 Nov 2000 22:50:59 -0800
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAH6pKx17890;
	Thu, 16 Nov 2000 22:51:20 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 16 Nov 2000 22:51:10 -0800
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Trevor Johnson <trevor@jpj.net>
Cc: Will Mitayai Keeso Rowe <mit@mitayai.net>, security@FreeBSD.ORG
Subject: Re: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall)
Message-ID: <20001116225110.C9740@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <NEBBIEGPMLMKDBMMICFNIEDLDIAA.mit@mitayai.net> <Pine.BSI.4.21.0011160446590.14801-100000@blues.jpj.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSI.4.21.0011160446590.14801-100000@blues.jpj.net>; from trevor@jpj.net on Thu, Nov 16, 2000 at 04:57:37AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Nov 16, 2000 at 04:57:37AM -0500, Trevor Johnson wrote:
> > does ssh check /etc/shells ?
> 
> Users can run arbitrary commands with ssh, without a shell ever being
> invoked or (at least on my 4.1.1-RELEASE system) anything being
> logged.  Try this:
> 
> 	ssh localhost ls
> 	last | head

Yes and no. A shell is invoked. There will be no login entry in
utmp(5) which is what last(1) reads.

  $ ssh localhost "sleep 30"

While that is running,

  $ ps jxa | grep -e sleep -e ssh
  root     243     1   243 b33640    0 Is    ??    0:45.10 /usr/sbin/sshd
  root   17824   243   243 b33640    0 I     ??    0:00.07 sshd: cjc@notty (sshd)
  cjc    17825 17824 17825 d63f80    0 Is    ??    0:00.02 tcsh -c sleep 30
  cjc    17826 17825 17825 d63f80    0 I     ??    0:00.00 sleep 30

And you just need to enable the logging (nothing in the default
syslog.conf will catch it). You can also change the logging in
sshd_config. I have,

  auth.info                                       /var/log/authlog

In syslog.conf. When I did the above,

  Nov 16 22:47:03 149 sshd[17824]: Accepted password for cjc from 127.0.0.1 port 946

Showed up in /var/log/authlog.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message