Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false
tags 366541 pending thanks On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote: > Package: openssh-server > Version: 1:4.2p1-8 > Severity: normal > Tags: security > > The /etc/passwd contains entry: > > sshd:x:101:65534::/var/run/sshd:/bin/false > > SUGGESTION > > The new login package includes /bin/nologin wich would be more secure, > because it leaves trace to syslog after login attemps. (/usr/sbin/nologin, after an extensive discussion.) Thanks for the suggestion; I've made this change in my local openssh tree for my next upload. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false
| On Wed, May 10, 2006 at 07:46:20AM +0300, Jari Aalto wrote: | > | severity 366541 wishlist | > | thanks | > | | > | On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote: | > | > Package: openssh-server | > | > Version: 1:4.2p1-8 | > | > Severity: normal | > | > Tags: security | > | > | > | > The /etc/passwd contains entry: | > | > | > | > sshd:x:101:65534::/var/run/sshd:/bin/false | > | > | > | > SUGGESTION | > | > | > | > The new login package includes /bin/nologin wich would be more secure, | > | > because it leaves trace to syslog after login attemps. | > | I think it has the same functional effect: | > | May 9 12:46:31 andromeda nologin: Attempted login by pryzbyj on /dev/pts/2 | > | May 9 12:47:34 andromeda login[6063]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure | > | May 9 12:49:31 andromeda login[25987]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure | > | > Not at all. The nologin records the account that ws used to "crack in". | I was unclear. The first of those lines was when I ran | /usr/sbin/nologin (note that the path is different from what you | suggest) from the shell of an authenticated account. | | The other 2 lines are the same, since the shell is never even run; I | guess that this is a request for logging, in the accidental case that | the shell *is* run? Correct. The improved logging makes the difference, which I consider "more secure", because this information can be gathered by security auditing tools. The switch to /bin/nologin is easyly done. Jari -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false
On Wed, May 10, 2006 at 07:46:20AM +0300, Jari Aalto wrote: > | severity 366541 wishlist > | thanks > | > | On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote: > | > Package: openssh-server > | > Version: 1:4.2p1-8 > | > Severity: normal > | > Tags: security > | > > | > The /etc/passwd contains entry: > | > > | > sshd:x:101:65534::/var/run/sshd:/bin/false > | > > | > SUGGESTION > | > > | > The new login package includes /bin/nologin wich would be more secure, > | > because it leaves trace to syslog after login attemps. > | I think it has the same functional effect: > | May 9 12:46:31 andromeda nologin: Attempted login by pryzbyj on > /dev/pts/2 > | May 9 12:47:34 andromeda login[6063]: FAILED LOGIN (1) on `tty1' FOR > `sshd', Authentication failure > | May 9 12:49:31 andromeda login[25987]: FAILED LOGIN (1) on `tty1' FOR > `sshd', Authentication failure > > Not at all. The nologin records the account that ws used to "crack in". I was unclear. The first of those lines was when I ran /usr/sbin/nologin (note that the path is different from what you suggest) from the shell of an authenticated account. The other 2 lines are the same, since the shell is never even run; I guess that this is a request for logging, in the accidental case that the shell *is* run? Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false
| severity 366541 wishlist | thanks | | On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote: | > Package: openssh-server | > Version: 1:4.2p1-8 | > Severity: normal | > Tags: security | > | > The /etc/passwd contains entry: | > | > sshd:x:101:65534::/var/run/sshd:/bin/false | > | > SUGGESTION | > | > The new login package includes /bin/nologin wich would be more secure, | > because it leaves trace to syslog after login attemps. | I think it has the same functional effect: | May 9 12:46:31 andromeda nologin: Attempted login by pryzbyj on /dev/pts/2 | May 9 12:47:34 andromeda login[6063]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure | May 9 12:49:31 andromeda login[25987]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure Not at all. The nologin records the account that ws used to "crack in". | Also, nologin.5 reads: | |It is intended as a replacement shell field for accounts that |have been disabled | | which isn't the case for 'sshd', which should never be enabled in the | first place; it is just a special use for running the ssh parent | daemon process. This is an error in nologin's manual page and needs inprovement. I know, because I was the one that ported the nologin from bsd to Linux and submitted it to "login" package maintainers. The /bin/nologin is straight alternative to /bin/false Jari -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false
severity 366541 wishlist thanks On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote: > Package: openssh-server > Version: 1:4.2p1-8 > Severity: normal > Tags: security > > The /etc/passwd contains entry: > > sshd:x:101:65534::/var/run/sshd:/bin/false > > SUGGESTION > > The new login package includes /bin/nologin wich would be more secure, > because it leaves trace to syslog after login attemps. I think it has the same functional effect: May 9 12:46:31 andromeda nologin: Attempted login by pryzbyj on /dev/pts/2 May 9 12:47:34 andromeda login[6063]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure May 9 12:49:31 andromeda login[25987]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure Also, nologin.5 reads: It is intended as a replacement shell field for accounts that have been disabled which isn't the case for 'sshd', which should never be enabled in the first place; it is just a special use for running the ssh parent daemon process. Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false
Package: openssh-server Version: 1:4.2p1-8 Severity: normal Tags: security The /etc/passwd contains entry: sshd:x:101:65534::/var/run/sshd:/bin/false SUGGESTION The new login package includes /bin/nologin wich would be more secure, because it leaves trace to syslog after login attemps. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.16-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US) Versions of packages openssh-server depends on: ii adduser 3.87 Add and remove users and groups ii debconf [debc 1.5.0 Debian configuration management sy ii dpkg 1.13.19package maintenance system for Deb ii libc6 2.3.6-7GNU C Library: Shared libraries ii libcomerr21.38+1.39-WIP-2006.04.09-1 common error description library ii libkrb53 1.4.3-7MIT Kerberos runtime libraries ii libpam-module 0.79-3.1 Pluggable Authentication Modules f ii libpam-runtim 0.79-3.1 Runtime support for the PAM librar ii libpam0g 0.79-3.1 Pluggable Authentication Modules l ii libselinux1 1.30-1 SELinux shared libraries ii libssl0.9.8 0.9.8a-8 SSL shared libraries ii libwrap0 7.6.dbs-9 Wietse Venema's TCP wrappers libra ii openssh-clien 1:4.2p1-8 Secure shell client, an rlogin/rsh ii zlib1g1:1.2.3-11 compression library - runtime openssh-server recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
