Bug#366541: openssh-server: [security] use /bin/nologin instead of /bin/false
| On Wed, May 10, 2006 at 07:46:20AM +0300, Jari Aalto wrote:
| > | severity 366541 wishlist
| > | thanks
| > |
| > | On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote:
| > | > Package: openssh-server
| > | > Version: 1:4.2p1-8
| > | > Severity: normal
| > | > Tags: security
| > | >
| > | > The /etc/passwd contains entry:
| > | >
| > | > sshd:x:101:65534::/var/run/sshd:/bin/false
| > | >
| > | > SUGGESTION
| > | >
| > | > The new login package includes /bin/nologin wich would be more secure,
| > | > because it leaves trace to syslog after login attemps.
| > | I think it has the same functional effect:
| > | May 9 12:46:31 andromeda nologin: Attempted login by pryzbyj on /dev/pts/2
| > | May 9 12:47:34 andromeda login[6063]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure
| > | May 9 12:49:31 andromeda login[25987]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure
| >
| > Not at all. The nologin records the account that ws used to "crack in".
| I was unclear. The first of those lines was when I ran
| /usr/sbin/nologin (note that the path is different from what you
| suggest) from the shell of an authenticated account.
|
| The other 2 lines are the same, since the shell is never even run; I
| guess that this is a request for logging, in the accidental case that
| the shell *is* run?
Correct. The improved logging makes the difference, which I consider
"more secure", because this information can be gathered by security
auditing tools. The switch to /bin/nologin is easyly done.
Jari
Reply to: