From owner-freebsd-security  Wed Oct 21 13:49:10 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA08980
          for freebsd-security-outgoing; Wed, 21 Oct 1998 13:49:10 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from xylan.com (postal.xylan.com [208.8.0.248])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA08971
          for <security@FreeBSD.ORG>; Wed, 21 Oct 1998 13:49:08 -0700 (PDT)
          (envelope-from wes@softweyr.com)
Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT]))
	id NAA29918; Wed, 21 Oct 1998 13:47:56 -0700 (PDT)
Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB]))
	id NAA18479; Wed, 21 Oct 1998 13:47:56 -0700
Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL]))
	id OAA20203; Wed, 21 Oct 1998 14:47:54 -0600
Message-ID: <362E487A.30EFDE31@softweyr.com>
Date: Wed, 21 Oct 1998 14:47:54 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.07 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386)
MIME-Version: 1.0
To: Janos Mohacsi <mohacsi@fsz.bme.hu>
CC: security@FreeBSD.ORG
Subject: Re: login/shell/ftp/e-mail policy
References: <Pine.SUN.3.96.981021200637.21992C-100000@bagira.iit.bme.hu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Janos Mohacsi wrote:
> 
> Dear Sirs,
>         What is the policy to use in the FreeBSD in the logins? Which
> shells should I use for different sets of users?
> 
> I have following scheme:
>                                       login       ftp     email(pop,imap)
> ordinary shells (sh,csh,bash,tcsh):     +          +        +
> nologin (I have put to /etc/shells):    -          +        +

You don't want to put nologin in /etc/shells; some user may accidentally
select it with chsh.  This also blocks ftp logins when using /etc/nologin.

We had a discussion about this not long ago; none of the current email
servers seem to check /etc/shells, but they should.  This could be
handled with a FreeBSD-specific patch in the ports collection, or
by contributing the code to do so back to the maintainer of the server.

I've just looked through a couple of servers, and found that the much
maligned qpopper DOES validate shells using getusershell(3).  imap-uw
has support for login classes, and seems to use classes auth-imap
and auth-pop3 for authenticating users, based on their connection
protocol.  I don't know if the FreeBSD imap-uw is current using the
login class support or not, but if not, it certainly should be.
This is the ideal way to handle controlling logins, not with hacks
like special shells.  (Even if you use my nologin program.  ;^)

-- 
             Where am I, and what am I doing in this handbasket?

Wes Peters                                                      +1.801.915.2061
Softweyr LLC                                                   wes@softweyr.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message