denying a user access from the internet
Joerg Pernfuss
elessar at bsdforen.de
Wed Nov 8 05:24:37 UTC 2006
On Tue, 7 Nov 2006 15:54:00 -0500
"Dave" <dmehler26 at woh.rr.com> wrote:
> Hello,
> I've got a FreeBSD box that i have a user on who needs special
> console access. I've given him access to what is required, but i do
> not want him to be able to log in from the internet via ssh, telnet,
> or even a serial terminal if possible. Basically if this user isn't
> right in front of the box i don't want him accessing it. Is it
> possible to lock a user out to this extent, i know with ssh i can do
> an AllowGroup option and not put him in the group that would work?
> Thanks.
You should be able to achieve this via the ttys.allow paramter that is
provided by login.conf(5).
Either
local:\
:ttys.allow=ttyv0,ttyv1,ttyv2,ttyv3,ttyv4:\
:tc=default:
or
local:\
:ttys.allow=local:\
:tc=default:
with /etc/ttys modified to sth like this:
ttyv0 "/usr/libexec/getty Pc" cons25 on group=local secure
# Virtual terminals
ttyv1 "/usr/libexec/getty Pc" cons25 on group=local secure
ttyv2 "/usr/libexec/getty Pc" cons25 on group=local secure
ttyv3 "/usr/libexec/getty Pc" cons25 on group=local secure
ttyv4 "/usr/libexec/getty Pc" cons25 on group=local secure
ttyv5 "/usr/libexec/getty Pc" cons25 on secure
ttyv6 "/usr/libexec/getty Pc" cons25 on secure
ttyv7 "/usr/libexec/getty Pc" cons25 on secure
Then switch his login class to local and the policy should be enforced
system wide. The AllowGroups and AllowUsers switches in sshd_config(5)
work fine, but only sshd wide.
:times.allow=MoTuWeThFr0800-1600:\
might also come handy, allowing access only during the week from 8am to
4pm :)
Joerg
--
| /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
| X HTML in email | .the next sentence is true. |
| / \ and news | .the previous sentence was a lie. |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20061108/e3f0fe9e/signature.pgp
More information about the freebsd-questions
mailing list