From owner-freebsd-security  Wed Mar 13 11:31:11 2002
Delivered-To: freebsd-security@freebsd.org
Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240])
	by hub.freebsd.org (Postfix) with ESMTP id 42F2237B400
	for <security@FreeBSD.ORG>; Wed, 13 Mar 2002 11:31:09 -0800 (PST)
Received: (qmail 25934 invoked by uid 1000); 13 Mar 2002 19:31:03 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 13 Mar 2002 19:31:03 -0000
Date: Wed, 13 Mar 2002 11:30:59 -0800 (PST)
From: Jason Stone <jason-fbsd-security@shalott.net>
X-X-Sender:  <jason@walter>
To: <security@FreeBSD.ORG>
Subject: Re: sshd UseLogin option
In-Reply-To: <20020313190021.GB1761@frolic.no-support.loc>
Message-ID: <20020313112159.G9375-100000@walter>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > Could someone please explain to me why we don't use sshd's UseLogin
> > option by default?  I know that there was a security hole related to
> > that option recently, but that's not a real reason - security holes
> > can show up anywhere - so is there anything that makes UseLogin a
> > particularly bad idea?
>
> And additionally to that, why is the environment variable MAIL hardcoded
> to /var/mail/${logname} (or _PATH_MAILDIR/${logname}) in session.c
> although setusercontext() is used? Crap!

the CheckMail option in sshd is deprecated (I think that it actually
generates an error in 3.1, the current version) and should not be used
anymore.


 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet.  Here's what I worry about.  I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
	-- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE8j6j3swXMWWtptckRAlaDAJ9roGP6R8x2oC0bJoDbCc4KRJMKNgCfXc6F
MMOFXKEYLWFK9figidjzWGU=
=TyAr
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message