|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: a few ssh questions
From: Hal Flynn (flynn
SECURITYFOCUS.COM)Date: Wed Nov 22 2000 - 14:26:00 CST
- Next message: Marnix Petrarca: "(no subject)"
- Previous message: root: "Re: a few ssh questions"
- Maybe reply: Hal Flynn: "Re: a few ssh questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I think we've sufficiently discussed this topic. I'll end this thread
here.
flynn
> i did say "in theory"
> and i'm not suggesting that you put /dev/null in /etc/shells, simply that
> you substitute it for the users shell in /etc/passwd.
> now if you still want to havea user use ftp or somehting else, that's
> another story. but, i believe the question was how to prevent a user
> login without destroying the account. also if someone is trying to access
> an account which i have, in effect, shut down, i'm really not all that
> interested in giving them any information as to 'why' they did not get in.
> now this may all sound extreme, but it works, is easliy undone and i have
> yet to see any evidence that it is harmfull to the system which i am
> protecting.
> plus it's great for mail servers where you have any number of users
> sending their passwords in the clear with imap or pop.
> to quote a famous statement.............
> "That vulnerability is completely theoretical."
> i'd rather be paranoid than spend my weekend rebuilding a system
> just a thought
>
>
>
> On Wed, 22 Nov 2000, ksemat wrote:
>
> > > someone could, in theory, create a script called /bin/false which could be
> > > executed upon login. /dev/null seems pretty immune to that type of abuse
> > > imho
> > >
> > And how would the person be able to put it in /bin unless there is already
> > a security problem with the machine in which case the login shell does not
> > even matter. Normally on most systems there is actually a script called
> > /bin/false which does a few things and echoes a response about how the
> > acccount is unavailable. It can be useful say ifyou still want the user
> > to be able to do ftp you would simply add /bin/false to /etc/shells yet I
> > really doubt it would be wise to include /dev/null in /etc/shells
> > Sematimba Noah
> > ksemateahd.or.ug
> >
>
>
- Next message: Marnix Petrarca: "(no subject)"
- Previous message: root: "Re: a few ssh questions"
- Maybe reply: Hal Flynn: "Re: a few ssh questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]