>Furthermore, if the account is disabled in /etc/passwd and a user logs in >via a public key, they are still allowed access. (So just diabling a user >account is not enough anymore. You have to look for uses of public keys as >well.) You get the same effect if a user has ~/.rhosts file using rsh/rlogin >This may not exist in the 2.x series (I have not tested it there), but it >does occur in the 1.2.x series. (I have not tested the latest version on >this...) > >I would verify the above before panic, but I have seen it occur under one >such install of 1.2.x. (I will have to look up the version. The drive was >removed soon after due to hacker d00dz.) I can verify that using keys and ssh-agent under ssh-2.0.11 (Sparc Solaris 2.6) allows login if the (NIS) account has been disabled. However, this is no less or greater a problem than the .rhosts file. There are tools to detect for .rhosts files in disabled accounts; perhaps the writers of those scripts might be able to add a check for public keys under ssh? -- John Riddoch Email: jrat_private Telephone: (01224)262730 Room C4, School of Computer and Mathematical Science Robert Gordon University, Aberdeen, AB25 1HG "Yoda of Borg are we: Futile is resistance. Assimilate you, we will"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:06 PDT