Restricting logins by terminal

[lewiz]

On Wed, Jul 09, 2003 at 01:14:06PM -0400, Charley wrote:
> I would like to restrict user login based on the terminal where the login 
> request originates.  Ideally, I want Root, and ONLY Root, to be able to log 
> in at the console.  The system is already running SSHD, so I want to be able 

That's more than possible.  Take a look at /etc/login.access and
/etc/login.conf.  In login.access a simple:

-:ALL EXCEPT root # taken from the examples near the end (which actual
use groups)

should do the trick.

> to check logins via SSH.  Root should not be allowed to log in from a remote 

That's all defined in your sshd config (by default root cannot login via
sshd).  If you're really paranoid, the second example in login.access:

-:root:ALL EXCEPT LOCAL # instead of considering root, the ``wheel''
group might be better.

> terminal and SU should be disabled for any remote terminal.  Is there 

By default, only members of the wheel group can su to root.

> something in the ports collection that I've missed that will do this?  Maybe 
> I'm just blind and haven't yet seen something like this in the manual.

Well, I don't know exactly what you want to do... but ``su'' is setuid
root, so you could unset that and use the ``sudo'' command.  Take a look
at security/sudo in the ports collection.  That'd be quite contrived
though.

  Best wishes,

-lewiz.

P.S.
  Some of my examples might not work -- I didn't test them and I'm
shocking for getting things to work first time.

-- 
"Why was I born with such contemporaries?"
		-- Oscar Wilde
------------------------------------------------------------------------
-| msn:purple at lewiz.net | jab:lewiz at jabber.org | url:http://lewiz.net |-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030710/7597c0c4/attachment.bin