*BSD News Article 33584


Return to BSD News archive

Xref: sserve comp.unix.admin:21272 comp.os.386bsd.questions:11901
Newsgroups: comp.unix.admin,comp.os.386bsd.questions
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msuinfo!agate!ames!taligent!taligent.com!logan
From: logan@taligent.com (Logan Shaw)
Subject: Re: telnet security
Message-ID: <Ctq4MK.Kps@taligent.com>
Sender: usenet@taligent.com (More Bytes Than You Can Read)
Organization: Taligent, Inc.
References: <30kcmo$j0o@panix2.panix.com> <318dnd$b2j$1@garnet.msen.com> <319djp$4nm@babbage.ece.uc.edu>
Date: Fri, 29 Jul 1994 22:47:07 GMT
Lines: 60

In article <319djp$4nm@babbage.ece.uc.edu>, montjoy@thor.ece.uc.edu (Robert Montjoy) writes:
> In article <318dnd$b2j$1@garnet.msen.com>,
> Mike Pelletier  <mpelletier@ofgw.ntt.com> wrote:
> >In article <30kcmo$j0o@panix2.panix.com>, richard <rpritz@panix.com> wrote:
> >>what do i do to make an account not accessible from telnet or ftp? i
> >>assume it's one of the /etc files.  i'm using freebsd

> >One thing you can do to prevent their login via telnet, though, is to
> >set their shell to /bin/false.  If you want to keep their shell info,
> >though, you can modify their .profile and put a "kill -HUP $$" as the
> >first line.

> These all good ideas but do not forget about rsh and rlogin

I'm going to state the obvious here and say...

	touch /etc/nologin

It's certainly better than reconfiguring inetd and all that.  It does
nothing about ftp, though.

Also, you can add a character like '*' (asterisk) to the beginning of
their password.  If I remember correctly, it's not possible for the
encryption algorithm to produce a string that contains a '*', so anything
that does contain a '*' cannot be matched.

If the entry looks like

	joe:Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/bin/ksh

insert a '*' at the beginning of the password, so that it looks like

	joe:*Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/bin/ksh

This makes it easy to quickly re-enable all the accounts you've disabled
with the vi command

	:%s/:[*]/:/

Another trick would be to add '/dev/null' to the beginning of the shell's
path, so that the entry would look like

	joe:Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/dev/null/bin/ksh

That's easy to disable with the vi command

	:%s/:\/dev\/null/:/

Enjoy...

Adios,
  Logan

-- 
The genius of France can be seen at a glance
And it's not in their fabled fashion scene
It's not that they're mean, or their wine, or cuisine
I refer of course to the guillotine
(the French knew how to lynch)
                T-Bone Burnett, "I Can Explain Everything"