From owner-cvs-all@FreeBSD.ORG  Mon Feb 23 07:39:23 2004
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AF1C916A4D1; Mon, 23 Feb 2004 07:39:23 -0800 (PST)
Received: from chiark.greenend.org.uk (chiark.greenend.org.uk
	[193.201.200.170])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 86D3D43D1F; Mon, 23 Feb 2004 07:39:23 -0800 (PST)
	(envelope-from fanf@chiark.greenend.org.uk)
Received: by chiark.greenend.org.uk (Debian Exim 3.35 #1) with local
	id 1AvIB0-00030K-00; Mon, 23 Feb 2004 15:39:22 +0000
Date: Mon, 23 Feb 2004 15:39:22 +0000
From: Tony Finch <dot@dotat.at>
To: kientzle@acm.org, Colin Percival <cperciva@FreeBSD.ORG>,
	src-committers@FreeBSD.ORG, cvs-src@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Message-ID: <20040223153922.GH4574@chiark.greenend.org.uk>
References: <200402221003.i1MA3PW0024791@repoman.freebsd.org>
	<403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040223025647.GA43467@VARK.homeunix.com>
User-Agent: Mutt/1.3.28i
Sender: Tony Finch <fanf@chiark.greenend.org.uk>
Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2004 15:39:23 -0000

On Sun, Feb 22, 2004 at 06:56:47PM -0800, David Schultz wrote:
> 
> Note that this attack also works with OpenSSH provided that the
> locked out user has a ~/.ssh/environment file.[1]
> 
> [1] I think Theo might have changed his mind about this
>     questionable feature and disabled it by default in
>     recent versions of OpenSSH.  See the PermitUserEnvironment
>     option in sshd_config(5).

Yes, I submitted that feature in July 2002 and it was in that
October's 3.5 release.  We have about 32,000 users that aren't
supposed to be able to get out of their walled garden, so the default
hard-crunchy-outsite/soft-chewy-inside that ssh gives us isn't good
enough.

Tony.
-- 
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
FORTH TYNE DOGGER FISHER GERMAN BIGHT: MAINLY NORTH BACKING WEST OR NORTHWEST
5 TO 7, PERHAPS GALE 8 LATER. SQUALLY WINTRY SHOWERS THEN RAIN. GOOD BECOMING
MODERATE.