Date: Thu, 16 Nov 2000 22:51:10 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Trevor Johnson <trevor@jpj.net> Cc: Will Mitayai Keeso Rowe <mit@mitayai.net>, security@FreeBSD.ORG Subject: Re: Shell acces with not specified shell in /etc/shells (Re: problem using sysinstall) Message-ID: <20001116225110.C9740@149.211.6.64.reflexcom.com> In-Reply-To: <Pine.BSI.4.21.0011160446590.14801-100000@blues.jpj.net>; from trevor@jpj.net on Thu, Nov 16, 2000 at 04:57:37AM -0500 References: <NEBBIEGPMLMKDBMMICFNIEDLDIAA.mit@mitayai.net> <Pine.BSI.4.21.0011160446590.14801-100000@blues.jpj.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 16, 2000 at 04:57:37AM -0500, Trevor Johnson wrote: > > does ssh check /etc/shells ? > > Users can run arbitrary commands with ssh, without a shell ever being > invoked or (at least on my 4.1.1-RELEASE system) anything being > logged. Try this: > > ssh localhost ls > last | head Yes and no. A shell is invoked. There will be no login entry in utmp(5) which is what last(1) reads. $ ssh localhost "sleep 30" While that is running, $ ps jxa | grep -e sleep -e ssh root 243 1 243 b33640 0 Is ?? 0:45.10 /usr/sbin/sshd root 17824 243 243 b33640 0 I ?? 0:00.07 sshd: cjc@notty (sshd) cjc 17825 17824 17825 d63f80 0 Is ?? 0:00.02 tcsh -c sleep 30 cjc 17826 17825 17825 d63f80 0 I ?? 0:00.00 sleep 30 And you just need to enable the logging (nothing in the default syslog.conf will catch it). You can also change the logging in sshd_config. I have, auth.info /var/log/authlog In syslog.conf. When I did the above, Nov 16 22:47:03 149 sshd[17824]: Accepted password for cjc from 127.0.0.1 port 946 Showed up in /var/log/authlog. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001116225110.C9740>