Date: Sun, 16 Jan 2000 12:56:38 -0500 (EST) From: Omachonu Ogali <oogali@intranova.net> To: cjclark@home.com Cc: Dan Harnett <danh@wzrd.com>, Nicholas Brawn <ncb@zip.com.au>, freebsd-security@FreeBSD.ORG Subject: Re: Disallow remote login by regular user. Message-ID: <Pine.BSF.4.10.10001161255170.78224-100000@hydrant.intranova.net> In-Reply-To: <200001152233.RAA53004@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Once again...make the login shell nonexistant, so if an attacker manages to get the password to that account they get no visual notice that they have the correct password for that account. Omachonu Ogali Intranova Networking Group On Sat, 15 Jan 2000, Crist J. Clark wrote: > Dan Harnett wrote, > > Hello, > > > > You could also set this particular user's shell to /sbin/nologin and make the > > others use the -m option to su. > > But if you do this, remember, > > -m Leave the environment unmodified. The invoked shell is your lo- > gin shell, and no directory changes are made. As a security pre- > caution, if the target user's shell is a non-standard shell (as > defined by getusershell(3)) and the caller's real uid is non-ze- > ro, su will fail. > > You have to add '/sbin/nologin' to /etc/shells. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10001161255170.78224-100000>