Date: Sun, 17 Apr 2022 13:21:49 +0200 From: Evilham <contact@evilham.com> To: FreeBSD User <freebsd@walstatt-de.de> Cc: freebsd-current@freebsd.org Subject: Re: PAM: SSH: reject login when homdir does not exist? Message-ID: <a02a9b6db426f5e8a0b5c17cae62d8e327f5@yggdrasil.evilham.com> In-Reply-To: <20220417130437.740721de@hermann> References: <20220417130437.740721de@hermann>
next in thread | previous in thread | raw e-mail | index | archive | help
On dg., abr. 17 2022, FreeBSD User wrote: > Hello fellows, happy Easter! > > I run into a security issue this morning here and tried to look > for a solution. We use > OpenLDAP for all "regular users" login on hosts and web > services. Authentication is > required from some cloud/moodle services via LDAP, but some > users not having any > homedirectory on any machine within the domain will still be > allowed to login, even if > the home dir is not present. They get loged in onto the root of > the filesystem, when > login via SSH. > > Is there a way to prohibit login if homedir isn't present? Can > you point me to the right > place (PAM or something, pam_env isn't available on FreeBSD)? > > If this is a trivial issue and caused by lack of my personell > knowledge, please excuse. > > Kind regards, Hey, even if you manage to do that, you probably shouldn't address your problem this way: existence of a directory is a rather weak assertion to make when deciding whether or not someone should be able to get a shell. Take a look at AllowGroups and AllowUsers in man 5 sshd_config, that should fit your use-case much better. Other than that, you probably want to change their shell and stuff like that. Do check: https://docs.freebsd.org/en/books/handbook/security/#security-intro And adapt to your LDAP setup. Also, mid-term this M.W. Lucas' Absolute FreeBSD is a really good place to learn things: https://mwl.io/nonfiction/os#af3e PS: This mailing list is for things related to FreeBSD-CURRENT; it seems like this question might be a better fit for freebsd-questions@, since it is related to systems in general. Cheers, -- Evilham
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a02a9b6db426f5e8a0b5c17cae62d8e327f5>