From owner-freebsd-security  Thu May 21 20:23:04 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA13532
          for freebsd-security-outgoing; Thu, 21 May 1998 20:23:04 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from parsons.rh.rit.edu (d117-h041.rh.rit.edu [129.21.117.169])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA13527
          for <freebsd-security@freebsd.org>; Thu, 21 May 1998 20:22:55 -0700 (PDT)
          (envelope-from mfisher@harborcom.net)
Received: from mfisher by parsons.rh.rit.edu with smtp (Exim 1.82 #1)
	id 0yciPw-000143-00; Thu, 21 May 1998 23:22:48 -0400
Date: Thu, 21 May 1998 23:22:48 -0400 (EDT)
From: Mike Fisher <mfisher@harborcom.net>
X-Sender: mfisher@d117-h041.rh.rit.edu
Reply-To: Mike Fisher <mfisher@harborcom.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: SKey and locked account
In-Reply-To: <199805212338.QAA05467@antipodes.cdrom.com>
Message-ID: <Pine.BSF.3.96.980521222333.262S-100000@d117-h041.rh.rit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Thu, 21 May 1998, Mike Smith wrote:

> If you wish to disable a user's account, you should set their shell to 
> something nonexistent.  (Note that ssh may still be a way past this.)

As is the login.conf(5) database, from what I can tell.  If the disabled
user drops in a .login_conf that sets the shell, it will work although
they will need to modify their SHELL environmental variable if they're
going to be doing much fun stuff.

However, I just did some playing around with this on a 2.2.6-STABLE system
and didn't seem to have any luck subverting the configured shell.  (Read:
assuming I configure .login_conf correctly, it is not being used
correctly.)

Setting the shell to /sbin/nologin does seem to do the trick; it doesn't
let S/Key through and it doesn't seem to allow anything else through.

With SSH, I was unable to do a login via RSA keys or password
authentication with the shell set to /sbin/nologin.  I'd assume that the
.shosts authentication would also be effectively broken.

Of course, this is an inelegant fix for people who have set up a nice
shell substitute that allows choices like password changes or whatnot, but
I would imagine that in a situation where the account was locked, a
password change is a minimal priority for people.

--
Mike
  "I swear - by my life and by my love of it - that I will never live
  for the sake of another man, nor ask another man to live for mine."
         --Ayn Rand, _Atlas Shrugged_



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message