Date: Wed, 21 Oct 1998 14:47:54 -0600 From: Wes Peters <wes@softweyr.com> To: Janos Mohacsi <mohacsi@fsz.bme.hu> Cc: security@FreeBSD.ORG Subject: Re: login/shell/ftp/e-mail policy Message-ID: <362E487A.30EFDE31@softweyr.com> References: <Pine.SUN.3.96.981021200637.21992C-100000@bagira.iit.bme.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Janos Mohacsi wrote:
>
> Dear Sirs,
> What is the policy to use in the FreeBSD in the logins? Which
> shells should I use for different sets of users?
>
> I have following scheme:
> login ftp email(pop,imap)
> ordinary shells (sh,csh,bash,tcsh): + + +
> nologin (I have put to /etc/shells): - + +
You don't want to put nologin in /etc/shells; some user may accidentally
select it with chsh. This also blocks ftp logins when using /etc/nologin.
We had a discussion about this not long ago; none of the current email
servers seem to check /etc/shells, but they should. This could be
handled with a FreeBSD-specific patch in the ports collection, or
by contributing the code to do so back to the maintainer of the server.
I've just looked through a couple of servers, and found that the much
maligned qpopper DOES validate shells using getusershell(3). imap-uw
has support for login classes, and seems to use classes auth-imap
and auth-pop3 for authenticating users, based on their connection
protocol. I don't know if the FreeBSD imap-uw is current using the
login class support or not, but if not, it certainly should be.
This is the ideal way to handle controlling logins, not with hacks
like special shells. (Even if you use my nologin program. ;^)
--
Where am I, and what am I doing in this handbasket?
Wes Peters +1.801.915.2061
Softweyr LLC wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?362E487A.30EFDE31>