Try the package "falselogin" micah Javier Fern?ndez-Sanguino Pe?a schrieb am Thursday, den 23. October 2003: > On Wed, Oct 22, 2003 at 09:45:24AM +0200, Tobias Reckhard wrote: > > Hi > > > > We recently noticed that a stock woody install produces an /etc/passwd > > in which most, if not all, system users have a valid shell entry of > > /bin/sh. They're all unable to login due to having no valid password, > > but best UNIX security practice typically involves giving accounts that > > don't need to be able to login a shell of /bin/false or /bin/true. Other > > distros (at least some of them) appear to follow suit. > > I have meant to ask this question for some time too. Specially since some > distributions (such as RedHat) provide system users with a /bin/noshell > shell. I'm not sure if this is the same shell as the one provided by Titan > [1] but IMHO I believe it's a must to have a shell that logs the entry > attempt to syslog (as opposed to what /bin/false or /bin/true do). > > So, anybody knows any issues (Debian specific or not) related to using > /bin/noshell instead? > > Regards > > Javi > > PS: I guess, as for recommended practice, you mean CERT's guidelines: > http://www.cert.org/security-improvement/implementations/i049.02.html > which does suggest using Titan's noshell > > > [1] Titan's noshell can be found at: > http://www.fish.com/titan/src1/noshell.c
Attachment:
pgpYKTUYPR5LK.pgp
Description: PGP signature