From owner-freebsd-security Mon May 25 08:35:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA06157 for freebsd-security-outgoing; Mon, 25 May 1998 08:35:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA06139 for ; Mon, 25 May 1998 08:35:41 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id LAA19320 for ; Mon, 25 May 1998 11:35:26 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id LAA26747 for ; Mon, 25 May 1998 11:35:37 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id LAA05810; Mon, 25 May 1998 11:35:37 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 25 May 1998 11:35:37 -0400 (EDT) Message-Id: <199805251535.LAA05810@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-Reply-To: Matthew N. Dodd's message of "Fri, May 22, 1998 12:35:15 -0400" regarding "Re: SKey and locked account " id References: X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: woods@zeus.leitch.com (Greg A. Woods) Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Fri, May 22, 1998 at 12:35:15 (-0400), Matthew N. Dodd wrote: ] > Subject: Re: SKey and locked account > > On Fri, 22 May 1998, Snob Art Genre wrote: > > How? I don't like this: isn't it standard practice across unixes to set > > a nonexistent shell to disable logins? POLA etc. > > I remember getting around this by ftp'ing a .forward file containing nice > things to reset my shell. Of course, this assumes that ftp is setup as to > allow logins for users with 'invalid' shells. Usually that's an accident (i.e. allowing ftp for users with "invalid" shells), sometimes based on a nasty but all too common misunderstanding about /etc/shells. Naturally /sbin/nologin should *never* be included in /etc/shells. If someone thinks they want it there then they really need to think of some other way to allow users to disable their accounts on their own! ;-) Unfortunately the shells(5) manual page doesn't mention this quirk related to ftpd [I'll file a PR if I remember when I have a spare moment]. Of course if you really want to disable a user's account then you should set their shell to /sbin/nologin, *AND* disable their password, either by adding some string such as "*NOLOGIN*" to the beginning of the field (in order to invalidate their current password but leave it intact), or simply replace the entire field contents with an invalid encrypted string, such as "*". Note too that SSH at one time did not correctly implement password field handling for invalid encrypted strings (and may still not do so) and in addition it (until the most recent release) revealed the existance of an account by giving a different response to an incorrect password. I've still not had time to examine the code to see that this was fixed on the server side either -- if not then a malicious client could still be used to probe for valid accounts. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message