Date: Sun, 16 Jan 2000 21:40:58 +1100 From: aunty <aunty@comcen.com.au> To: freebsd-security@FreeBSD.ORG Subject: Re: Disallow remote login by regular user. Message-ID: <20000116214058.D14280@comcen.com.au> In-Reply-To: <20000114133222.A18079@rtfm.net> References: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au> <200001140145.UAA15101@cc942873-a.ewndsr1.nj.home.com> <20000114133222.A18079@rtfm.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 14, 2000 at 01:32:22PM -0500, Nathan Dorfman wrote: > On Thu, Jan 13, 2000 at 08:45:20PM -0500, Crist J. Clark wrote: > > Nicholas Brawn wrote, > > > Hi folks. I'm trying to ocnfigure my system so that I can disallow a > > > particular user account from being able to login remotely, and forcing > > > users to su to the account instead. How may I configure this? > > > > > > PS. Users may be using anything from telnet to ssh to login to the system, > > > so I need something that works across the board. > > > > For anything that is going to call login(1), you can use > > /etc/login.access(5). That pretty much eliminates stuff like telnet, > > rlogin, and console logins. For SSH, look at the 'AllowUsers' and > > 'DenyUsers' keywords for the sshd_conf file on the sshd(8) > > manpage. And of course, if ftp(1) is an issue, there is /etc/ftpusers > > as described in ftpd(8). > > You can make sshd use login(1). Set UseLogin to yes in sshd_config. This > is (at least sounds like) a good idea just so that login.access(5) and > login.conf(5) have their effect. I have a slightly similar requirement, an authentication server which must carry another machine's password files, but where no logins of any kind are allowed, except root on console and one user from one IP. Telnet and ftp are turned off, ssh is heavily restricted when active, and login.access is there as a backup in case someone "improves" inetd.conf from the console, a real possibility. (Yeah, I know, but moving faeces to higher ground is the reality I have to live with sometimes.) Shells aren't much help. Of course I can't alter the password file, and someone might change installed shells or /etc/shells in the future without realising the security implications. I've seen this happen in the past. The ftpusers file isn't much help in this case. I'd have to enter and maintain thousands of usernames or hundreds of groups. All I can think of as an additional ftp precaution is a cron job to find and delete ftpd. I'm also thinking about having a permanent /var/run/nologin file. Have I missed any other good tricks, particularly for ftp? -- Regards, -*Sue*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000116214058.D14280>