Date: Fri, 26 Jun 1998 12:03:40 +1000 (EST) From: "Daniel O'Callaghan" <danny@hilink.com.au> To: Paul Stewart <paul@kawartha.com> Cc: Evren Yurtesen <yurtesen@ispro.net.tr>, freebsd-isp@FreeBSD.ORG Subject: Re: nonexistent Message-ID: <Pine.BSF.3.96.980626115630.3042H-100000@enya.hilink.com.au> In-Reply-To: <35925399.46400EF5@kawartha.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 25 Jun 1998, Paul Stewart wrote: > Somebody might be able to yell at me for this, but on several of our ftp > servers we use DATE as our shell and they can't get shell access. > Hopefully nobody is going to flame me over that...:) > > Make sure you add /bin/date to your /etc/shells file or it won't > show...<smile> If user ftp has no password, and it is not listed in /etc/ppp/ppp.deny and you are running PAP ppp logins on the same box, people will be able to get a ppp connection as user ftp. I fixed this between 2.2.2 and 2.2.5, and a FreeBSD security alert was announced at the time, although it did not describe the exploit. I think enough time has passed for the exploit to be mentioned. So... MAKE SURE USER 'ftp' HAS '*' IN THE PASSWORD FIELD :-) Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980626115630.3042H-100000>