From owner-freebsd-security  Fri May 28 16:18:46 1999
Delivered-To: freebsd-security@freebsd.org
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
	by hub.freebsd.org (Postfix) with ESMTP id C51F2156FB
	for <freebsd-security@FreeBSD.ORG>; Fri, 28 May 1999 16:18:42 -0700 (PDT)
	(envelope-from jkb@shell6.ba.best.com)
Received: (from jkb@localhost)
	by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id QAA02314;
	Fri, 28 May 1999 16:18:07 -0700 (PDT)
Message-ID: <19990528161807.A1393@best.com>
Date: Fri, 28 May 1999 16:18:07 -0700
From: "Jan B. Koum " <jkb@best.com>
To: Nicholas Brawn <ncb@zip.com.au>,
	Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: legal notice for telnet/etc
References: <671.927888503@axl.noc.iafrica.com> <Pine.LNX.4.05.9905282206050.32747-100000@zipper.zip.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.LNX.4.05.9905282206050.32747-100000@zipper.zip.com.au>; from Nicholas Brawn on Fri, May 28, 1999 at 10:13:09PM +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, May 28, 1999 at 10:13:09PM +1000, Nicholas Brawn <ncb@zip.com.au> wrote:
> For the systems I'm looking at, the main entry points into the system will
> be:
> - Telnet
> - FTP
> - SSH
> - SFTP/SCP
> 
> Telnet and Ftp banners look relatively simple to implement. But it looks a
> bit tricky with ssh without displaying until the user has logged in.
> Alternatively you could get them to sign a legal document prior to
> granting them access to IT resources which discusses what authority they
> have over what, which is already a recommendation. If it cannot be
> displayed until a user logs in (/etc/motd), nobody's going to die. And if
> you say they may be able to quell such notices via .hushlogin, we can add
> something to /etc/profile to display notices, or even specify a program as
> their shell which does nothing more than displaying the notice before
> dropping them into a shell.
> 
> At this stage I'm keen to find out what simply solutions there are
> available. If I need to tinker, so be it. :)
> 
> Thanks to everyone for the input,
> Nick

	If you need to tinker, then for ssh you can do something similar to
the following:

user goes to https://ssh.yourcompany.com

	The page asks username:password and present user with an agreement
of usage. If he will agree by clicking on "I Agree", you give him a new ssh
RSA key (ssh-keygen) and while he takes a second to download it, you place
the key in his $HOME/.ssh

	They weak part in the picture is username:passwd -- replace is with
something like Cryptocard (www.cryptocard.com -- which happen to support
FreeBSD btw) and you all set. They actually have apache module to auth
against their radiusd server ... Tinker away Nick. ;)


-- yan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message