[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false

severity 366541 wishlist

On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote:
> Package: openssh-server
> Version: 1:4.2p1-8
> Severity: normal
> Tags: security
> The /etc/passwd contains entry:
>   sshd:x:101:65534::/var/run/sshd:/bin/false
> The new login package includes /bin/nologin wich would be more secure, 
> because it leaves trace to syslog after login attemps.
I think it has the same functional effect:
  May  9 12:46:31 andromeda nologin: Attempted login by pryzbyj on /dev/pts/2
  May  9 12:47:34 andromeda login[6063]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure
  May  9 12:49:31 andromeda login[25987]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure

Also, nologin.5 reads:

       It is intended as a replacement shell field for accounts that
       have been disabled

which isn't the case for 'sshd', which should never be enabled in the
first place; it is just a special use for running the ssh parent
daemon process.


Reply to: