Date: Wed, 21 Oct 1998 14:47:54 -0600 From: Wes Peters <wes@softweyr.com> To: Janos Mohacsi <mohacsi@fsz.bme.hu> Cc: security@FreeBSD.ORG Subject: Re: login/shell/ftp/e-mail policy Message-ID: <362E487A.30EFDE31@softweyr.com> References: <Pine.SUN.3.96.981021200637.21992C-100000@bagira.iit.bme.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Janos Mohacsi wrote: > > Dear Sirs, > What is the policy to use in the FreeBSD in the logins? Which > shells should I use for different sets of users? > > I have following scheme: > login ftp email(pop,imap) > ordinary shells (sh,csh,bash,tcsh): + + + > nologin (I have put to /etc/shells): - + + You don't want to put nologin in /etc/shells; some user may accidentally select it with chsh. This also blocks ftp logins when using /etc/nologin. We had a discussion about this not long ago; none of the current email servers seem to check /etc/shells, but they should. This could be handled with a FreeBSD-specific patch in the ports collection, or by contributing the code to do so back to the maintainer of the server. I've just looked through a couple of servers, and found that the much maligned qpopper DOES validate shells using getusershell(3). imap-uw has support for login classes, and seems to use classes auth-imap and auth-pop3 for authenticating users, based on their connection protocol. I don't know if the FreeBSD imap-uw is current using the login class support or not, but if not, it certainly should be. This is the ideal way to handle controlling logins, not with hacks like special shells. (Even if you use my nologin program. ;^) -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?362E487A.30EFDE31>