From owner-freebsd-security  Mon Mar  5 16:14: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66])
	by hub.freebsd.org (Postfix) with ESMTP id 26DFA37B71D
	for <freebsd-security@freebsd.org>; Mon,  5 Mar 2001 16:14:04 -0800 (PST)
	(envelope-from str@giganda.komkon.org)
Received: (from str@localhost)
	by giganda.komkon.org (8.9.3/8.9.3) id TAA31449;
	Mon, 5 Mar 2001 19:14:02 -0500 (EST)
	(envelope-from str)
Date: Mon, 5 Mar 2001 19:14:02 -0500 (EST)
From: Igor Roshchin <str@giganda.komkon.org>
Message-Id: <200103060014.TAA31449@giganda.komkon.org>
To: freebsd-security@freebsd.org
Subject: Re: ssh tricks  - user running sshd
Cc: kris@obsecurity.org
In-Reply-To: <20010305130902.A85196@mollari.cthul.hu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Well,  there is another effectively similar, but probably less
trackable way of doing the same.
A user can run his own ssh daemon on a different (high-numbered) port,
thus allowing himself to login without using the system's daemon.
Since that user can configure the daemon so that no records are added to
wtmp/utmp, and no logging is done to the system log.

You can forbid running daemons by a policy, but it's rather difficult
to make that completely impossible.

Well, the point of this message is just to remind, that, as Kris said,
there are many different things for an admin to remember.

Igor

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message