Return to BSD News archive
Xref: sserve comp.unix.admin:21272 comp.os.386bsd.questions:11901
Newsgroups: comp.unix.admin,comp.os.386bsd.questions
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msuinfo!agate!ames!taligent!taligent.com!logan
From: logan@taligent.com (Logan Shaw)
Subject: Re: telnet security
Message-ID: <Ctq4MK.Kps@taligent.com>
Sender: usenet@taligent.com (More Bytes Than You Can Read)
Organization: Taligent, Inc.
References: <30kcmo$j0o@panix2.panix.com> <318dnd$b2j$1@garnet.msen.com> <319djp$4nm@babbage.ece.uc.edu>
Date: Fri, 29 Jul 1994 22:47:07 GMT
Lines: 60
In article <319djp$4nm@babbage.ece.uc.edu>, montjoy@thor.ece.uc.edu (Robert Montjoy) writes:
> In article <318dnd$b2j$1@garnet.msen.com>,
> Mike Pelletier <mpelletier@ofgw.ntt.com> wrote:
> >In article <30kcmo$j0o@panix2.panix.com>, richard <rpritz@panix.com> wrote:
> >>what do i do to make an account not accessible from telnet or ftp? i
> >>assume it's one of the /etc files. i'm using freebsd
> >One thing you can do to prevent their login via telnet, though, is to
> >set their shell to /bin/false. If you want to keep their shell info,
> >though, you can modify their .profile and put a "kill -HUP $$" as the
> >first line.
> These all good ideas but do not forget about rsh and rlogin
I'm going to state the obvious here and say...
touch /etc/nologin
It's certainly better than reconfiguring inetd and all that. It does
nothing about ftp, though.
Also, you can add a character like '*' (asterisk) to the beginning of
their password. If I remember correctly, it's not possible for the
encryption algorithm to produce a string that contains a '*', so anything
that does contain a '*' cannot be matched.
If the entry looks like
joe:Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/bin/ksh
insert a '*' at the beginning of the password, so that it looks like
joe:*Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/bin/ksh
This makes it easy to quickly re-enable all the accounts you've disabled
with the vi command
:%s/:[*]/:/
Another trick would be to add '/dev/null' to the beginning of the shell's
path, so that the entry would look like
joe:Fr0b2m7gnaF6D:201:200:Joe User:/home/joe:/dev/null/bin/ksh
That's easy to disable with the vi command
:%s/:\/dev\/null/:/
Enjoy...
Adios,
Logan
--
The genius of France can be seen at a glance
And it's not in their fabled fashion scene
It's not that they're mean, or their wine, or cuisine
I refer of course to the guillotine
(the French knew how to lynch)
T-Bone Burnett, "I Can Explain Everything"