Re: How to block NIS logins via ssh?
enough time and resources, any password can be cracked. I really do not when enough time is somehow like lifetime of a star ;) (unless you choose bad passwords). understand why so many users insist on using passwords anyway. 2 reasons: - It's the default - Less hassle getting access from a new account. It's the first thing I disable as well. I have machines I don't even know my local password for. Key on a flash card so I can get access from any new machine with an USB port. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How to block NIS logins via ssh?
On Thursday 11 December 2008 12:40:10 Jerry wrote: > On Thu, 11 Dec 2008 09:11:26 +0100 > > Mel wrote: > >6) Disable password based logins and use keys only. > > Personally, I have always used 'keys' instead of passwords. Given > enough time and resources, any password can be cracked. I really do not > understand why so many users insist on using passwords anyway. 2 reasons: - It's the default - Less hassle getting access from a new account. It's the first thing I disable as well. I have machines I don't even know my local password for. Key on a flash card so I can get access from any new machine with an USB port. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How to block NIS logins via ssh?
On Thu, 11 Dec 2008 09:11:26 +0100 Mel <[EMAIL PROTECTED]> wrote: >On Thursday 11 December 2008 08:10:09 Dan Mahoney, System Admin wrote: > >> Given, there's several solutions to this: >> >> 1) The Kluge as above. >> >> 2) A pam module to check /etc/group (this is standard login >> behavior, and historically supported, and available on other >> platforms, adding a module, even to ports, is trivial. >> >> 3) A patch to openssh to do /etc/shells checking (I'll note that >> openSSH has the "UseLogin" option, which may also do this. >> >> 4) An option to pam_unix to check this. Differs from #2 in that >> it's a change to an existing module instead of one in ports. > >5) Use AllowGroups/AllowUsers and/or their Deny equivalent in >sshd_config. > >6) Disable password based logins and use keys only. Personally, I have always used 'keys' instead of passwords. Given enough time and resources, any password can be cracked. I really do not understand why so many users insist on using passwords anyway. -- Jerry [EMAIL PROTECTED] A sadist is a masochist who follows the Golden Rule. signature.asc Description: PGP signature
Re: How to block NIS logins via ssh?
On Thursday 11 December 2008 08:10:09 Dan Mahoney, System Admin wrote: > Given, there's several solutions to this: > > 1) The Kluge as above. > > 2) A pam module to check /etc/group (this is standard login behavior, and > historically supported, and available on other platforms, adding a module, > even to ports, is trivial. > > 3) A patch to openssh to do /etc/shells checking (I'll note that openSSH > has the "UseLogin" option, which may also do this. > > 4) An option to pam_unix to check this. Differs from #2 in that it's a > change to an existing module instead of one in ports. 5) Use AllowGroups/AllowUsers and/or their Deny equivalent in sshd_config. 6) Disable password based logins and use keys only. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block NIS logins via ssh?
On Wed, 10 Dec 2008, Dan Nelson wrote: In the last episode (Dec 10), Dan Mahoney, System Admin said: On Wed, 10 Dec 2008, Dan Nelson wrote: In the last episode (Dec 10), Dan Mahoney, System Admin said: I'm noticing that when following the directions given here: http://www.freebsd.org/doc/en/books/handbook/network-nis.html For how to disable logins, the recommended action is to set the shell to /sbin/nologin. However, this is sloppy as it allows the user to log in, get the motd, do everything short of getting a shell. I've tried starring out the password in the +: entry, (and putting in a "bad" password, like x), and those don't seem to work. I am still able to connect via sshd and prove that the account works. By default, the passwd field is ignored in an NIS + or - line. It looks like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the behaviour you're looking for (see the compat_set_template function in src/lib/libc/gen/getpwent.c). Okay, let's look at it from an alternate tack then -- what else renders an account invalid? Is there a pam knob to check /etc/shells? Or an sshd option? There's a pam_exec module which launches a program of your choice. You could look up the user's shell from there using whatever script you're comfortable with. Or, if all your NIS users are members of a certain group, you could use the pam_group module to deny them. I found these: http://osdir.com/ml/linux.admin.managers/2003-08/msg00016.html for a user who had a similar problem, but freebsd doesn't appear to have the requisite module. This could also be implemented as an option to pam_unix (which could check either /etc/shells or the NIS equivalent, since it already has the NIS hooks.) It looks like our pam_unix module has a "local_pass" option, whch claims to disallow NIS logins. Have you tried that? No, I'm using netgroups -- i.e. allow one user (or, rather, allow the @STAFF group, import the whole map, disallow the rest from logging in.) Actually, I just found the answer to this...instead of putting "nologin" in, put in something bogus (I'm using /nonexistent)...and the password will just loop. This is something sshd does internally. Given, there's several solutions to this: 1) The Kluge as above. 2) A pam module to check /etc/group (this is standard login behavior, and historically supported, and available on other platforms, adding a module, even to ports, is trivial. 3) A patch to openssh to do /etc/shells checking (I'll note that openSSH has the "UseLogin" option, which may also do this. 4) An option to pam_unix to check this. Differs from #2 in that it's a change to an existing module instead of one in ports. -Dan -- "The first annual 5th of July party...have you been invited?" "It's a Jack Party." "Okay, so Long Island's been invited." --Cali and Gushi, 6/23/02 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block NIS logins via ssh?
In the last episode (Dec 10), Dan Mahoney, System Admin said: > On Wed, 10 Dec 2008, Dan Nelson wrote: > > In the last episode (Dec 10), Dan Mahoney, System Admin said: > >> I'm noticing that when following the directions given here: > >> > >> http://www.freebsd.org/doc/en/books/handbook/network-nis.html > >> > >> For how to disable logins, the recommended action is to set the shell to > >> /sbin/nologin. > >> > >> However, this is sloppy as it allows the user to log in, get the > >> motd, do everything short of getting a shell. > >> > >> I've tried starring out the password in the +: entry, (and > >> putting in a "bad" password, like x), and those don't seem to > >> work. I am still able to connect via sshd and prove that the > >> account works. > > > > By default, the passwd field is ignored in an NIS + or - line. It > > looks like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will > > get the behaviour you're looking for (see the compat_set_template > > function in src/lib/libc/gen/getpwent.c). > > Okay, let's look at it from an alternate tack then -- what else renders an > account invalid? > > Is there a pam knob to check /etc/shells? Or an sshd option? There's a pam_exec module which launches a program of your choice. You could look up the user's shell from there using whatever script you're comfortable with. Or, if all your NIS users are members of a certain group, you could use the pam_group module to deny them. > I found these: > > http://osdir.com/ml/linux.admin.managers/2003-08/msg00016.html > > for a user who had a similar problem, but freebsd doesn't appear to have > the requisite module. This could also be implemented as an option to > pam_unix (which could check either /etc/shells or the NIS equivalent, > since it already has the NIS hooks.) It looks like our pam_unix module has a "local_pass" option, whch claims to disallow NIS logins. Have you tried that? > I'll make a separate post to -hackers requesting this. > > it's probably pretty trivial to port, but I'm leery to do so > not-being a c-coder. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block NIS logins via ssh?
On Wed, 10 Dec 2008, Dan Nelson wrote: In the last episode (Dec 10), Dan Mahoney, System Admin said: I'm noticing that when following the directions given here: http://www.freebsd.org/doc/en/books/handbook/network-nis.html For how to disable logins, the recommended action is to set the shell to /sbin/nologin. However, this is sloppy as it allows the user to log in, get the motd, do everything short of getting a shell. I've tried starring out the password in the +: entry, (and putting in a "bad" password, like x), and those don't seem to work. I am still able to connect via sshd and prove that the account works. By default, the passwd field is ignored in an NIS + or - line. It looks like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the behaviour you're looking for (see the compat_set_template function in src/lib/libc/gen/getpwent.c). Okay, let's look at it from an alternate tack then -- what else renders an account invalid? Is there a pam knob to check /etc/shells? Or an sshd option? I found these: http://osdir.com/ml/linux.admin.managers/2003-08/msg00016.html for a user who had a similar problem, but freebsd doesn't appear to have the requisite module. This could also be implemented as an option to pam_unix (which could check either /etc/shells or the NIS equivalent, since it already has the NIS hooks.) I'll make a separate post to -hackers requesting this. it's probably pretty trivial to port, but I'm leery to do so not-being a c-coder. -Dan -- "Of course she's gonna be upset! You're dealing with a woman here Dan, what the hell's wrong with you?" -S. Kennedy, 11/11/01 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block NIS logins via ssh?
In the last episode (Dec 10), Dan Mahoney, System Admin said: > I'm noticing that when following the directions given here: > > http://www.freebsd.org/doc/en/books/handbook/network-nis.html > > For how to disable logins, the recommended action is to set the shell to > /sbin/nologin. > > However, this is sloppy as it allows the user to log in, get the > motd, do everything short of getting a shell. > > I've tried starring out the password in the +: entry, (and > putting in a "bad" password, like x), and those don't seem to work. > I am still able to connect via sshd and prove that the account works. By default, the passwd field is ignored in an NIS + or - line. It looks like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the behaviour you're looking for (see the compat_set_template function in src/lib/libc/gen/getpwent.c). -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"