On 2 October 2014 13:05, Jason L Tibbitts III <tibbs@xxxxxxxxxxx> wrote:
>>>>> "KF" == Kevin Fenzi <kevin@xxxxxxxxx> writes:
KF> Sadly that won't work. The only people who have accounts are those
KF> in cla_done + 1 group. So, the people without that don't even have
KF> an account, so they can't authenticate. ;(
Is it possible to give them accounts that have no permission to do
anything? I used to change the shell to /usr/local/bin/terminated,
which printed a message about the account being closed.
In this case that would be close to a hundred thousand accounts linked to /bin/noshellforyou for the 3200 that are cla+1. In the past that was a great way to DOS a machine.. just have a sshbot go by and get a bunch of nologins and the amount of cpu for login search/setup/deny was enough to DOS a box
The only solution I have seen in practice is having the ssh banner set, but everywhere I worked at previously was legally required to have messages in banners so my world view is biased.
- J<
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Stephen J Smoogen.
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
