sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 )

From: Christopher Schulte (schulte+freebsd@nospam.schulte.org)
Date: 01/25/02

Next message: Sheldon Hearn: "Re: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 )"
Previous message: Crist J. Clark: "Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec"
Next in thread: Sheldon Hearn: "Re: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 )"
Reply: Sheldon Hearn: "Re: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 )"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 25 Jan 2002 10:54:07 -0600
To: security@freebsd.org
From: Christopher Schulte <schulte+freebsd@nospam.schulte.org>

This seems to be a security issue, since an admin may think users are
locked out, when in fact they are not.

System: 4.4-RELEASE-p4
Sshd: default per 4.4-p4 install ( OpenSSH_2.3.0 FreeBSD localisations
20011202 )

The man page for sshd tells us:

-----
When a user successfully logs in, sshd does the following:
[snip 1,2]

3. Checks /etc/nologin and /var/run/nologin; if one exists, it
prints the contents and quits (unless root).
-----

I noticed this when I was upgrading from 4.4-RELEASE to RELENG_4_4
yesterday on a server.

Example: box1=newly updated FreeBSD. box2=offsite server to test login to
box1

box1# pw useradd foo ( then define password )

box1# echo test > /var/run/nologin
box1# ln -s /var/run/nologin /etc/nologin ( just for good measure, man page
for sshd lists both files )

telnetd on box1 honors the nologin file:

box2# telnet box1
Trying 123.123.123.123...
Connected to box1.
Escape character is '^]'.

FreeBSD/i386 (box1) (ttypd)

yet sshd still allows access:

box2# ssh -l foo box1
foo@box1's password:
Last login: Fri Jan 25 10:40:46 2002 from 1.2.3.4
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.4-RELEASE-p4 (BOX1) #3: Thu Jan 24 16:57:53 CST 2002

$ exit
Connection to box1 closed.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Sheldon Hearn: "Re: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 )"
Previous message: Crist J. Clark: "Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec"
Next in thread: Sheldon Hearn: "Re: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 )"
Reply: Sheldon Hearn: "Re: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 )"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

PF and OpenVPN, WIFI
... I'll try to secure a connection between two vpn nodes ... over WIFI and same subnet). ... One of the two vpn nodes acts as the router to the outside world. ... As I stated above said interface can be pinged from BOX1. ...
(comp.unix.bsd.openbsd.misc)
Re: Jail, pf and ftpd: Connection refused
... Why does the below pf.conf (run from box1) give me ... Socket error (Connection refused) - reconnecting" when trying to log ... set block-policy return ... pass in on $ext_if inet proto udp from any to $box2 port 53 keep state ...
(freebsd-questions)