Date: Fri, 25 Jan 2002 10:54:07 -0600 From: Christopher Schulte <schulte+freebsd@nospam.schulte.org> To: security@freebsd.org Subject: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 ) Message-ID: <5.1.0.14.0.20020125103418.04610160@pop3s.schulte.org>
index | next in thread | raw e-mail
This seems to be a security issue, since an admin may think users are
locked out, when in fact they are not.
System: 4.4-RELEASE-p4
Sshd: default per 4.4-p4 install ( OpenSSH_2.3.0 FreeBSD localisations
20011202 )
The man page for sshd tells us:
-----
When a user successfully logs in, sshd does the following:
[snip 1,2]
3. Checks /etc/nologin and /var/run/nologin; if one exists, it
prints the contents and quits (unless root).
-----
I noticed this when I was upgrading from 4.4-RELEASE to RELENG_4_4
yesterday on a server.
Example: box1=newly updated FreeBSD. box2=offsite server to test login to
box1
box1# pw useradd foo ( then define password )
box1# echo test > /var/run/nologin
box1# ln -s /var/run/nologin /etc/nologin ( just for good measure, man page
for sshd lists both files )
telnetd on box1 honors the nologin file:
box2# telnet box1
Trying 123.123.123.123...
Connected to box1.
Escape character is '^]'.
FreeBSD/i386 (box1) (ttypd)
login: foo
Password:
test
Connection closed by foreign host.
yet sshd still allows access:
box2# ssh -l foo box1
foo@box1's password:
Last login: Fri Jan 25 10:40:46 2002 from 1.2.3.4
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.4-RELEASE-p4 (BOX1) #3: Thu Jan 24 16:57:53 CST 2002
$ exit
Connection to box1 closed.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020125103418.04610160>