| On Wed, May 10, 2006 at 07:46:20AM +0300, Jari Aalto wrote: | > | severity 366541 wishlist | > | thanks | > | | > | On Tue, May 09, 2006 at 06:30:00PM +0300, Jari Aalto wrote: | > | > Package: openssh-server | > | > Version: 1:4.2p1-8 | > | > Severity: normal | > | > Tags: security | > | > | > | > The /etc/passwd contains entry: | > | > | > | > sshd:x:101:65534::/var/run/sshd:/bin/false | > | > | > | > SUGGESTION | > | > | > | > The new login package includes /bin/nologin wich would be more secure, | > | > because it leaves trace to syslog after login attemps. | > | I think it has the same functional effect: | > | May 9 12:46:31 andromeda nologin: Attempted login by pryzbyj on /dev/pts/2 | > | May 9 12:47:34 andromeda login[6063]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure | > | May 9 12:49:31 andromeda login[25987]: FAILED LOGIN (1) on `tty1' FOR `sshd', Authentication failure | > | > Not at all. The nologin records the account that ws used to "crack in". | I was unclear. The first of those lines was when I ran | /usr/sbin/nologin (note that the path is different from what you | suggest) from the shell of an authenticated account. | | The other 2 lines are the same, since the shell is never even run; I | guess that this is a request for logging, in the accidental case that | the shell *is* run?
Correct. The improved logging makes the difference, which I consider "more secure", because this information can be gathered by security auditing tools. The switch to /bin/nologin is easyly done. Jari -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
