Date: Mon, 23 Feb 2004 15:39:22 +0000 From: Tony Finch <dot@dotat.at> To: kientzle@acm.org, Colin Percival <cperciva@FreeBSD.ORG>, src-committers@FreeBSD.ORG, cvs-src@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c Message-ID: <20040223153922.GH4574@chiark.greenend.org.uk> In-Reply-To: <20040223025647.GA43467@VARK.homeunix.com> References: <200402221003.i1MA3PW0024791@repoman.freebsd.org> <403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 22, 2004 at 06:56:47PM -0800, David Schultz wrote: > > Note that this attack also works with OpenSSH provided that the > locked out user has a ~/.ssh/environment file.[1] > > [1] I think Theo might have changed his mind about this > questionable feature and disabled it by default in > recent versions of OpenSSH. See the PermitUserEnvironment > option in sshd_config(5). Yes, I submitted that feature in July 2002 and it was in that October's 3.5 release. We have about 32,000 users that aren't supposed to be able to get out of their walled garden, so the default hard-crunchy-outsite/soft-chewy-inside that ssh gives us isn't good enough. Tony. -- f.a.n.finch <dot@dotat.at> http://dotat.at/ FORTH TYNE DOGGER FISHER GERMAN BIGHT: MAINLY NORTH BACKING WEST OR NORTHWEST 5 TO 7, PERHAPS GALE 8 LATER. SQUALLY WINTRY SHOWERS THEN RAIN. GOOD BECOMING MODERATE.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040223153922.GH4574>