From owner-freebsd-security  Tue May  7 15:43:39 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.npubs.com (npubs.com [207.111.208.224])
	by hub.freebsd.org (Postfix) with ESMTP id 8F51637B404
	for <security@FreeBSD.ORG>; Tue,  7 May 2002 15:43:33 -0700 (PDT)
Received: 8.12.2-(Neptune)
Received: 8.12.2-(Venus)
Received: 8.12.2-(Neptune)
From: "Nielsen" <nielsen@memberwebs.com>
To: "Rob Andrews" <rob@cyberpunkz.org>, <security@FreeBSD.ORG>
References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> <200205061347.54915.dowen@pstis.com> <20020507062534.E638C37B401@hub.freebsd.org> <20020507014934.D58289@switchblade.cyberpunkz.org>
Subject: Re: Telnet Exploit
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20020507224333.8F51637B404@hub.freebsd.org>
Date: Tue,  7 May 2002 15:43:33 -0700 (PDT)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> I was attempting something like this with sudo to no avail.  We were
> attempting to setup a separate password file for sudo but it didn't
> quite cut it.  I've made queries about this before to the list but
> no one ever responded to it..

If you just want one password file for shells and another for insecure
logins, then use /usr/ports/security/pam_pwdfile. Replace the pam_unix.so in
pam.conf for each service you want to use the other password file.

> How is it that you have managed to separate using pam, logins for
> ftp, pop3, smtp, or whatever you choose from things such as sshd?

What we did was something different. Wrote a PAM module, that disallows
logins for all insecure services (where specified in pam.conf) when the user
has a valid shell.

> I'd be real interested in how you've managed this as it would be
> very helpful to future development of machines on my networks.

As it is the module isn't autoconfiscated or anything, but can do if
anyone's interested.

Nate



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message