Date: Sun, 16 Jan 2000 21:40:58 +1100 From: aunty <aunty@comcen.com.au> To: freebsd-security@FreeBSD.ORG Subject: Re: Disallow remote login by regular user. Message-ID: <20000116214058.D14280@comcen.com.au> In-Reply-To: <20000114133222.A18079@rtfm.net> References: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au> <200001140145.UAA15101@cc942873-a.ewndsr1.nj.home.com> <20000114133222.A18079@rtfm.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 14, 2000 at 01:32:22PM -0500, Nathan Dorfman wrote:
> On Thu, Jan 13, 2000 at 08:45:20PM -0500, Crist J. Clark wrote:
> > Nicholas Brawn wrote,
> > > Hi folks. I'm trying to ocnfigure my system so that I can disallow a
> > > particular user account from being able to login remotely, and forcing
> > > users to su to the account instead. How may I configure this?
> > >
> > > PS. Users may be using anything from telnet to ssh to login to the system,
> > > so I need something that works across the board.
> >
> > For anything that is going to call login(1), you can use
> > /etc/login.access(5). That pretty much eliminates stuff like telnet,
> > rlogin, and console logins. For SSH, look at the 'AllowUsers' and
> > 'DenyUsers' keywords for the sshd_conf file on the sshd(8)
> > manpage. And of course, if ftp(1) is an issue, there is /etc/ftpusers
> > as described in ftpd(8).
>
> You can make sshd use login(1). Set UseLogin to yes in sshd_config. This
> is (at least sounds like) a good idea just so that login.access(5) and
> login.conf(5) have their effect.
I have a slightly similar requirement, an authentication server which
must carry another machine's password files, but where no logins of any
kind are allowed, except root on console and one user from one IP.
Telnet and ftp are turned off, ssh is heavily restricted when active, and
login.access is there as a backup in case someone "improves" inetd.conf
from the console, a real possibility. (Yeah, I know, but moving faeces
to higher ground is the reality I have to live with sometimes.)
Shells aren't much help. Of course I can't alter the password file, and
someone might change installed shells or /etc/shells in the future
without realising the security implications. I've seen this happen in
the past.
The ftpusers file isn't much help in this case. I'd have to enter and
maintain thousands of usernames or hundreds of groups. All I can think
of as an additional ftp precaution is a cron job to find and delete ftpd.
I'm also thinking about having a permanent /var/run/nologin file.
Have I missed any other good tricks, particularly for ftp?
--
Regards,
-*Sue*-
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000116214058.D14280>