RE: Disable Login

From: Fernando Gleiser (fgleiser@cactus.fi.uba.ar)
Date: 06/18/02 

Date: Tue, 18 Jun 2002 18:08:53 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: Alex Michlin <alex@delete.org>

On Tue, 18 Jun 2002, Alex Michlin wrote:

> I remember seeing a FreeBSD advisory on a bug in login. Now, for the
> real story... What is behind this is: I just downloaded the latest Saint
> version and ran it against a server. It said there login was vunerable.
> I'm not sure how it knows if there is a bug or just information (but it is
> listed under the critical section).

saint checks wheter the login *service* (512/tcp, a.k.a rlogin) is runing,
it doesn't check for vulnerabilities in the login *program* (/usr/bin/login)

rlogin is insecure because it sends everyting in cleartext and may be
vulnerable to ip spoofing if you use .rhosts for authentication.
Just coment it out in inetd.conf and use ssh instead.

                        Fer

>
> Thanks again,
>
> Alex
>
> On Tue, 18 Jun 2002, Eric F Crist wrote:
>
> > What kind of a bug in login are you seeing? If you completely disable
> > the login utility, you would not be able to logon locally, which could
> > make an upgrade difficult. If you simply want to disable logon for
> > specific users, simply set their shell to /etc/nologin or some other
> > non-existent file/shell.
> >
> > HTH
> >
> > Eric F Crist
> > President/Sys Admin
> > AdTech Integrated Systems, Inc
> > http://www.adtechintegrated.com
> >
> >
> > -----Original Message-----
> > From: owner-freebsd-security@FreeBSD.ORG
> > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex Michlin
> > Sent: Tuesday, June 18, 2002 2:23 PM
> > To: freebsd-security@FreeBSD.ORG
> > Subject: Disable Login
> >
> > I have a FreeBSD 4.2 server with a bug in login. I cannot reboot the
> > server to upgrade the os (make world...). As a temporary fix, can I
> > chmod
> > 000 logon or possibly even remove it completely? Should everything
> > function correctly? (OpenSSH mainly)?
> >
> > TIA,
> >
> > Alex
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • [kde] Re: Possible bug in kwin or ??
    ... FWIW, I'm not sure if that's a general "your", directed at any kde ... If it offends someone to the extent that the bug handling ... Browser cookies do expire. ... By logging it at the actual login page each time, ...
    (KDE)
  • [kde] Re: Possible bug in kwin or ??
    ... FWIW, I'm not sure if that's a general "your", directed at any kde people ... If it offends someone to the extent that the bug handling ... FWIW, for bug databases at least, I let the browser remember my login info ...
    (KDE)
  • Re: Disable Login
    ... > On Tue, 18 Jun 2002, Alex Michlin wrote: ... >>I remember seeing a FreeBSD advisory on a bug in login. ... It said there login was vunerable. ...
    (FreeBSD-Security)
  • SiteMinder Multiple Vulnerabilities
    ... 3: Bug Impact Rate: Medium / Hi ... eTrust SiteMinder delivers the market’s most advanced security management capabilities ... the login page of a site. ...
    (Bugtraq)
  • [Full-disclosure] SiteMinder Multiple Vulnerabilities
    ... 3: Bug Impact Rate: Medium / Hi ... eTrust SiteMinder delivers the market's most advanced ... the login page of a site. ...
    (Full-Disclosure)