openssh-server doesn't check if user's shell is listed in /etc/shells.
This is a potencional security hole. If somebody removes user's shell
from /etc/passwd, sshd permits login to the user with shell /bin/sh.
This is an insecure behaviour of openssh on Debian. Others systems may be
affected too.
# ssh -l rajo localhost
rajo@localhost's password:
Last login: Fri Aug 26 02:28:05 2011 from localhost
$ id
uid=1000(rajo) gid=1000(rajo) groups=1000(rajo)
$ getent passwd rajo
rajo:x:1000:1000:Lubomir Host,,,:/home/rajo:
$ ps
PID TTY TIME CMD
5243 pts/8 00:00:00 sh
5372 pts/8 00:00:00 ps
FIX: add the following line to /etc/pam.d/common-auth
# Check /etc/shells on login
account required pam_shells.so
Check the system:
# ssh -l rajo localhost -p 22
rajo@localhost's password:
Connection closed by 127.0.0.1
This is a correct (secure) behaviour.
Best regards,
Lubomir Host