Return to BSD News archive
Xref: sserve comp.unix.admin:21272 comp.os.386bsd.questions:11901 Newsgroups: comp.unix.admin,comp.os.386bsd.questions Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msuinfo!agate!ames!taligent!taligent.com!logan From: logan@taligent.com (Logan Shaw) Subject: Re: telnet security Message-ID: <Ctq4MK.Kps@taligent.com> Sender: usenet@taligent.com (More Bytes Than You Can Read) Organization: Taligent, Inc. References: <30kcmo$j0o@panix2.panix.com> <318dnd$b2j$1@garnet.msen.com> <319djp$4nm@babbage.ece.uc.edu> Date: Fri, 29 Jul 1994 22:47:07 GMT Lines: 60 In article <319djp$4nm@babbage.ece.uc.edu>, montjoy@thor.ece.uc.edu (Robert Montjoy) writes: > In article <318dnd$b2j$1@garnet.msen.com>, > Mike Pelletier <mpelletier@ofgw.ntt.com> wrote: > >In article <30kcmo$j0o@panix2.panix.com>, richard <rpritz@panix.com> wrote: > >>what do i do to make an account not accessible from telnet or ftp? i > >>assume it's one of the /etc files. i'm using freebsd > >One thing you can do to prevent their login via telnet, though, is to > >set their shell to /bin/false. If you want to keep their shell info, > >though, you can modify their .profile and put a "kill -HUP $$" as the > >first line. > These all good ideas but do not forget about rsh and rlogin I'm going to state the obvious here and say... touch /etc/nologin It's certainly better than reconfiguring inetd and all that. It does nothing about ftp, though. Also, you can add a character like '*' (asterisk) to the beginning of their password. If I remember correctly, it's not possible for the encryption algorithm to produce a string that contains a '*', so anything that does contain a '*' cannot be matched. If the entry looks like joe:Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/bin/ksh insert a '*' at the beginning of the password, so that it looks like joe:*Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/bin/ksh This makes it easy to quickly re-enable all the accounts you've disabled with the vi command :%s/:[*]/:/ Another trick would be to add '/dev/null' to the beginning of the shell's path, so that the entry would look like joe:Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/dev/null/bin/ksh That's easy to disable with the vi command :%s/:\/dev\/null/:/ Enjoy... Adios, Logan -- The genius of France can be seen at a glance And it's not in their fabled fashion scene It's not that they're mean, or their wine, or cuisine I refer of course to the guillotine (the French knew how to lynch) T-Bone Burnett, "I Can Explain Everything"