people ssh Banner
Stephen John Smoogen
smooge at gmail.com
Thu Oct 2 22:14:02 UTC 2014
On 2 October 2014 13:05, Jason L Tibbitts III <tibbs at math.uh.edu> wrote:
> >>>>> "KF" == Kevin Fenzi <kevin at scrye.com> writes:
>
> KF> Sadly that won't work. The only people who have accounts are those
> KF> in cla_done + 1 group. So, the people without that don't even have
> KF> an account, so they can't authenticate. ;(
>
> Is it possible to give them accounts that have no permission to do
> anything? I used to change the shell to /usr/local/bin/terminated,
> which printed a message about the account being closed.
>
>
In this case that would be close to a hundred thousand accounts linked to
/bin/noshellforyou for the 3200 that are cla+1. In the past that was a
great way to DOS a machine.. just have a sshbot go by and get a bunch of
nologins and the amount of cpu for login search/setup/deny was enough to
DOS a box
The only solution I have seen in practice is having the ssh banner set, but
everywhere I worked at previously was legally required to have messages in
banners so my world view is biased.
> - J<
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20141002/d797d6d6/attachment.html>
More information about the infrastructure
mailing list