Restricting logins by terminal
lewiz
purple at lewiz.info
Wed Jul 9 17:58:17 PDT 2003
On Wed, Jul 09, 2003 at 01:14:06PM -0400, Charley wrote:
> I would like to restrict user login based on the terminal where the login
> request originates. Ideally, I want Root, and ONLY Root, to be able to log
> in at the console. The system is already running SSHD, so I want to be able
That's more than possible. Take a look at /etc/login.access and
/etc/login.conf. In login.access a simple:
-:ALL EXCEPT root # taken from the examples near the end (which actual
use groups)
should do the trick.
> to check logins via SSH. Root should not be allowed to log in from a remote
That's all defined in your sshd config (by default root cannot login via
sshd). If you're really paranoid, the second example in login.access:
-:root:ALL EXCEPT LOCAL # instead of considering root, the ``wheel''
group might be better.
> terminal and SU should be disabled for any remote terminal. Is there
By default, only members of the wheel group can su to root.
> something in the ports collection that I've missed that will do this? Maybe
> I'm just blind and haven't yet seen something like this in the manual.
Well, I don't know exactly what you want to do... but ``su'' is setuid
root, so you could unset that and use the ``sudo'' command. Take a look
at security/sudo in the ports collection. That'd be quite contrived
though.
Best wishes,
-lewiz.
P.S.
Some of my examples might not work -- I didn't test them and I'm
shocking for getting things to work first time.
--
"Why was I born with such contemporaries?"
-- Oscar Wilde
------------------------------------------------------------------------
-| msn:purple at lewiz.net | jab:lewiz at jabber.org | url:http://lewiz.net |-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030710/7597c0c4/attachment.bin
More information about the freebsd-questions
mailing list