Path: utzoo!attcan!uunet!zaphod.mps.ohio-state.edu!sdd.hp.com!elroy.jpl.nasa.gov!decwrl!shelby!SUMEX-AIM.STANFORD.EDU!lane From: lane@SUMEX-AIM.STANFORD.EDU (Christopher Lane) Newsgroups: comp.sys.next Subject: NeXT Login Security Problem Message-ID: Date: 12 Nov 90 18:17:30 GMT Sender: Christopher Lane Organization: Internet-USENET Gateway at Stanford University Lines: 22 Steve Hayman (sahayman@iuvax.cs.indiana.edu) sent me a note a week or so ago about a security flaw in the NeXT LoginWindow program. It seems that at Steve's site, like our own and others, they put a 'nologin', 'noshell', etc. entry for the 'shell' field in the passwd (of the NetInfo/YP master) file for (temporarily) defunct users. However, since LoginWindow doesn't care about the shell field, users with bogus shells were still able to login the NeXTs. Changing both the shell and password field for a user will completely lock them out--though this doesn't seem to be the standard practice. As a patch, as provided by Steve, I've generated a new version of MOTD that checks 'getusershell()' when used as a LoginHook and rejects users that don't have valid shells (as defined by getusershell and /etc/shells). Those using this new, more secure version of MOTD might want to make sure to add 'tcsh' to /etc/shells if you use that shell. I've FTP'd the new version of MOTD to the submissions directory of the cs.orst.edu NeXT archive. Let me know if there are problems with it, - Christopher -------