From owner-freebsd-security Fri Jan 4 4:44: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 4CEF737B419 for ; Fri, 4 Jan 2002 04:44:03 -0800 (PST) Received: (from mwlucas@localhost) by blackhelicopters.org (8.11.6/8.11.6) id g04Chno05097; Fri, 4 Jan 2002 07:43:49 -0500 (EST) (envelope-from mwlucas) Date: Fri, 4 Jan 2002 07:43:49 -0500 From: Michael Lucas To: =?iso-8859-1?Q?=E4=CD=C9=D4=D2=C9=CA_=F0=CF=C4=CB=CF=D2=D9=D4=CF=D7?= Cc: freebsd-security@FreeBSD.ORG Subject: Re: nologin hole? Message-ID: <20020104074349.A5042@blackhelicopters.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from podkorytov@mail.ru on Fri, Jan 04, 2002 at 07:18:55AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I would recommend not using nologin as the users' shell. Instead, take a look at /etc/login.access. This makes the shell irrelevant; the user cannot log in, in any shell. Generally, my sysadmins are in a "sysadmin" group. The "sysadmin" group is allowed to log in from anywhere. All other users are denied login. There's an article on this in my column archives, if you want a point-by-point walkthrough. Good luck! ==ml On Fri, Jan 04, 2002 at 07:18:55AM +0300, Дмитрий Подкорытов wrote: > Maybe this result my paranoya. ;-) > And maybe not. Very posible You can extract use from this. > In Free BSD I'am found, that user with disabled terminal entering has login > shell named 'nologin'. > This is sh script: > ==================================================== > #!/bin/sh -p > # ... > # ... > echo 'This account is currently not available.' > exit 1 > ==================================================== > My mind about this: > 1. In case of breaking this script user has root access to system. (See man > sh, key -p ) 2. Password maybe 'viewed' any network analyser in time of users > pop3 session with server.(As rule password crypting not use in POP3) 3. Also > password maybe hacked bruteforce attack on POP3 daemon. For sucsessful attack > on this manner You can append some code to You telnet/ssh for > manage connection speed on fly.Or try use tcpwrapper for this. Setup connection > speed = 1 boud. Begin telnet/ssh session .Specify user name and password,break > nologin. After succsess setup connection speed as You whishes and work under > root permission. Solution for protect from this attack:install this programm. > For install > just make install. You may use this in silence mode. Then compile with > -DSILENCE_MODE key. Program distributed on GPL as is. Without any guarantees. > At URL: http://org.zaural.ru You can find some usefull programs. My best > wishes. Dmitry Podkorytov. > E-mail:podkorytov@mail.ru PS:on FreeBSD v.4.1 ps -x not viewed programms, thats > running code function Exit(), called from atexit(Exit). > It Bug ? I used top command for view PID NoLogin. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org my FreeBSD column: http://www.oreillynet.com/pub/q/Big_Scary_Daemons http://www.blackhelicopters.org/~mwlucas/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message