On dg., abr. 17 2022, FreeBSD User wrote:
Hello fellows, happy Easter!
I run into a security issue this morning here and tried to look
for a solution. We use
OpenLDAP for all "regular users" login on hosts and web
services. Authentication is
required from some cloud/moodle services via LDAP, but some
users not having any
homedirectory on any machine within the domain will still be
allowed to login, even if
the home dir is not present. They get loged in onto the root of
the filesystem, when
login via SSH.
Is there a way to prohibit login if homedir isn't present? Can
you point me to the right
place (PAM or something, pam_env isn't available on FreeBSD)?
If this is a trivial issue and caused by lack of my personell
knowledge, please excuse.
Kind regards,
Hey, even if you manage to do that, you probably shouldn't address
your problem this way:
existence of a directory is a rather weak assertion to make when
deciding whether or not someone should be able to get a shell.
Take a look at AllowGroups and AllowUsers in man 5 sshd_config,
that should fit your use-case much better.
Other than that, you probably want to change their shell and stuff
like that.
Do check:
https://docs.freebsd.org/en/books/handbook/security/#security-intro
And adapt to your LDAP setup.
Also, mid-term this M.W. Lucas' Absolute FreeBSD is a really good
place to learn things: https://mwl.io/nonfiction/os#af3e
PS: This mailing list is for things related to FreeBSD-CURRENT; it
seems like this question might be a better fit for
freebsd-questions@, since it is related to systems in general.
Cheers,
--
Evilham
