From owner-freebsd-security  Fri Jan 25  8:55:18 2002
Delivered-To: freebsd-security@freebsd.org
Received: from clink.schulte.org (clink.schulte.org [209.134.156.193])
	by hub.freebsd.org (Postfix) with ESMTP id 2422F37B41D
	for <security@freebsd.org>; Fri, 25 Jan 2002 08:55:10 -0800 (PST)
Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65])
	by clink.schulte.org (Postfix) with ESMTP id 8612324412
	for <security@freebsd.org>; Fri, 25 Jan 2002 10:55:08 -0600 (CST)
Message-Id: <5.1.0.14.0.20020125103418.04610160@pop3s.schulte.org>
X-Sender:  (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 25 Jan 2002 10:54:07 -0600
To: security@freebsd.org
From: Christopher Schulte <schulte+freebsd@nospam.schulte.org>
Subject: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD
  localisations 20011202 )
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

This seems to be a security issue, since an admin may think users are 
locked out, when in fact they are not.

System: 4.4-RELEASE-p4
Sshd: default per 4.4-p4 install ( OpenSSH_2.3.0 FreeBSD localisations 
20011202 )

The man page for sshd tells us:

-----
      When a user successfully logs in, sshd does the following:
[snip 1,2]

            3.   Checks /etc/nologin and /var/run/nologin; if one exists, it
                 prints the contents and quits (unless root).
-----


I noticed this when I was upgrading from 4.4-RELEASE to RELENG_4_4 
yesterday on a server.

Example:  box1=newly updated FreeBSD.  box2=offsite server to test login to 
box1

box1# pw useradd foo ( then define password )

box1# echo test > /var/run/nologin
box1# ln -s /var/run/nologin /etc/nologin ( just for good measure, man page 
for sshd lists both files )



telnetd on box1 honors the nologin file:

box2# telnet box1
Trying 123.123.123.123...
Connected to box1.
Escape character is '^]'.

FreeBSD/i386 (box1) (ttypd)

login: foo
Password:
test
Connection closed by foreign host.




yet sshd still allows access:

box2# ssh -l foo box1
foo@box1's password:
Last login: Fri Jan 25 10:40:46 2002 from 1.2.3.4
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
         The Regents of the University of California.  All rights reserved.
FreeBSD 4.4-RELEASE-p4 (BOX1) #3: Thu Jan 24 16:57:53 CST 2002

$ exit
Connection to box1 closed.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message