Date: Fri, 21 Sep 2001 12:44:10 +0100 From: Marc Rogers <marcr@shady.org> To: FreeBSD-Security@FreeBSD.ORG Subject: login_conf vulnerability. Message-ID: <20010921124410.D99287@shady.org>
next in thread | raw e-mail | index | archive | help
afternoon all, For those of you who havent gotten around to patching login_cap.c to fix the openssh login class exploit recently released, I have a quick fix that should be good enough to stop pests reading files on your system, such as master.passwd. using vipw, add all users to a login class that has been defined in /etc/login.conf for most people simply adding the user to standard will suffice: bob:xxxxxxxxxxxxx:1062:1062::0:0:bob t builder:/home/bob:/usr/local/bin/bash should be changed to bob:xxxxxxxxxxxxx:1062:1062:standard:0:0:bob t builder:/home/bob:/usr/local/bin/bash which corresponds to: standard:\ :tc=default: in /etc/login.conf This has been tested and found to prevent the exploit in 4.0, 4.1, 4.3 and 4.4-RC Yours, Marc Rogers Technical Director European Data Corporation To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921124410.D99287>