Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false
| severity 366541 wishlist
| thanks
|
| On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote:
| > Package: openssh-server
| > Version: 1:4.2p1-8
| > Severity: normal
| > Tags: security
| >
| > The /etc/passwd contains entry:
| >
| > sshd:x:101:65534::/var/run/sshd:/bin/false
| >
| > SUGGESTION
| >
| > The new login package includes /bin/nologin wich would be more secure,
| > because it leaves trace to syslog after login attemps.
| I think it has the same functional effect:
| May 9 12:46:31 andromeda nologin: Attempted login by pryzbyj on /dev/pts/2
| May 9 12:47:34 andromeda login[6063]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure
| May 9 12:49:31 andromeda login[25987]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure
Not at all. The nologin records the account that ws used to "crack in".
| Also, nologin.5 reads:
|
| It is intended as a replacement shell field for accounts that
| have been disabled
|
| which isn't the case for 'sshd', which should never be enabled in the
| first place; it is just a special use for running the ssh parent
| daemon process.
This is an error in nologin's manual page and needs inprovement.
I know, because I was the one that ported the nologin from bsd to
Linux and submitted it to "login" package maintainers.
The /bin/nologin is straight alternative to /bin/false
Jari
Reply to: