From owner-freebsd-security  Fri Jan  4  5: 2: 5 2002
Delivered-To: freebsd-security@freebsd.org
Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145])
	by hub.freebsd.org (Postfix) with ESMTP id 2938737B405
	for <freebsd-security@FreeBSD.ORG>; Fri,  4 Jan 2002 05:01:51 -0800 (PST)
Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6])
	by internethelp.ru (8.9.3/8.9.3) with ESMTP id QAA33709;
	Fri, 4 Jan 2002 16:00:24 +0300 (MSK)
Date: Fri, 4 Jan 2002 16:00:04 +0300
From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
X-Mailer: The Bat! (v1.49) Personal
Reply-To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
X-Priority: 3 (Normal)
Message-ID: <48581238076.20020104160004@internethelp.ru>
To: Michael Lucas <mwlucas@blackhelicopters.org>
Cc: =?ISO-8859-1?B?5M3J1NLJyiDwz8TLz9LZ1M/X?= <podkorytov@mail.ru>,
	freebsd-security@FreeBSD.ORG
Subject: Re[2]: nologin hole?
In-reply-To: <20020104074349.A5042@blackhelicopters.org>
References: <E16MLol-000FEJ-00@f8.mail.ru>
 <20020104074349.A5042@blackhelicopters.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello Michael,

Friday, January 04, 2002, 3:43:49 PM, you wrote:


ML> Hello,

ML> I would recommend not using nologin as the users' shell.  Instead,
ML> take a look at /etc/login.access.

ML> This makes the shell irrelevant; the user cannot log in, in any shell.

ML> Generally, my sysadmins are in a "sysadmin" group.  The "sysadmin"
ML> group is allowed to log in from anywhere.  All other users are denied
ML> login.

ML> There's an article on this in my column archives, if you want a
ML> point-by-point walkthrough.

ML> Good luck!

ML> ==ml

the problem is that some versions of SSH do not pay any attention to
/etc/login.access file, so you still may have a need in /sbin/nologin.

;-------------------------------------------
; NKritsky
; SysAdmin InternetHelp.Ru
; http://www.internethelp.ru
; mailto:nkritsky@internethelp.ru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message