Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Jan 2000 19:08:04 +0100 (MET)
From:      Marc SCHAEFER <schaefer@alphanet.ch>
To:        The Mad Scientist <madscientist@thegrid.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: sshd and pop/ftponly users incorrect configuration
Message-ID:  <Pine.LNX.4.10.10001271906030.24945-100000@vulcan.alphanet.ch>
In-Reply-To: <4.1.20000127001817.00938470@mail.thegrid.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Jan 2000, The Mad Scientist wrote:

> >      - no user which has an account hasn't a shell (he will be able
> >        to do the above, except the root@ IDENT, anyway, if he has a shell)
> 
> This line is a little confusing to me.  Do you mean every user with an
> account has no shell?  What do you mean by account? (pop?)  And who is 'he'?

If the user has a shell (e.g. bash, tcsh), he can connect to any host on
the Internet anyway (unless some socket restrictions were set up, I don't
know if this is available in FreeBSD). The only difference is that he
won't be able to fake the IDENT.

If he has /bin/false as shell (ie he hasn't a shell, but accessed POP
and/or FTP), he can issue TCP connections appearing from the host unless
DenyGroups or other security steps are taken.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.10001271906030.24945-100000>