denying a user access from the internet

Joerg Pernfuss elessar at bsdforen.de
Wed Nov 8 05:24:37 UTC 2006 

On Tue, 7 Nov 2006 15:54:00 -0500
"Dave" <dmehler26 at woh.rr.com> wrote:

> Hello,
>     I've got a FreeBSD box that i have a user on who needs special
> console access. I've given him access to what is required, but i do
> not want him to be able to log in from the internet via ssh, telnet,
> or even a serial terminal if possible. Basically if this user isn't
> right in front of the box i don't want him accessing it. Is it
> possible to lock a user out to this extent, i know with ssh i can do
> an AllowGroup option and not put him in the group that would work?
> Thanks.

You should be able to achieve this via the ttys.allow paramter that is
provided by login.conf(5).
Either

	local:\
		:ttys.allow=ttyv0,ttyv1,ttyv2,ttyv3,ttyv4:\
		:tc=default:

or
	local:\
		:ttys.allow=local:\
		:tc=default:

with /etc/ttys modified to sth like this:

ttyv0   "/usr/libexec/getty Pc"         cons25  on  group=local secure
# Virtual terminals
ttyv1   "/usr/libexec/getty Pc"         cons25  on  group=local secure
ttyv2   "/usr/libexec/getty Pc"         cons25  on  group=local secure
ttyv3   "/usr/libexec/getty Pc"         cons25  on  group=local secure
ttyv4   "/usr/libexec/getty Pc"         cons25  on  group=local secure
ttyv5   "/usr/libexec/getty Pc"         cons25  on  secure
ttyv6   "/usr/libexec/getty Pc"         cons25  on  secure
ttyv7   "/usr/libexec/getty Pc"         cons25  on  secure

Then switch his login class to local and the policy should be enforced
system wide. The AllowGroups and AllowUsers switches in sshd_config(5)
work fine, but only sshd wide.

	:times.allow=MoTuWeThFr0800-1600:\

might also come handy, allowing access only during the week from 8am to
4pm :)

	Joerg
-- 
| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |    0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  X    HTML in email  |        .the next sentence is true.       |
| / \     and news     |     .the previous sentence was a lie.    |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20061108/e3f0fe9e/signature.pgp

More information about the freebsd-questions mailing list