Date: Sun, 16 Jan 2000 03:02:46 -0600 From: Brad Guillory <round@baileylink.net> To: Nicholas Brawn <ncb@zip.com.au> Subject: Re: Disallow remote login by regular user. Message-ID: <20000116030246.A11734@baileylink.net> In-Reply-To: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au>; from ncb@zip.com.au on Fri, Jan 14, 2000 at 12:06:36PM %2B1100 References: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Nick,
I don't know what your particular need is but one way to do this
is to put an * in the password field of the password file (edit
with vipw(8)), then use sudo to allow the users to execute commands
as this user. I have seen other people suggest that you use
/sbin/nologin at the shell, but if you try to su to the user with
nologin as the shell you get an error message like this:
bash$ sudo su bin
This account is currently not available.
If you want people to be able to su into this account, you can
put them in a special group (not really necessary, but I find that
it helps centralize my management tasks, then add the following
lines in your /etc/sudoers file (use visudo(8)):
#Allow users in the group foo to run commands as user bar on all computers
%foo ALL=(bar) ALL
Then you would have them "log into" the account with this command:
bash$ sudo -s -u bar
- or -
bash$ sudo -u bar sh <--- or whatever their preferred shell is
or they could execute commands as that user like this (this example they
will edit bar's crontab:
bash$ sudo -u bar cron -e
You may want to change some of the defaults for the foo group with
a line like this (untested)
#Don't lecture the users in the foo group and let them get a shell
#when they don't use any arguments
Defaults:%foo !lecture, shell_noargs, passprompt="Your login password: "
then they would be able to "log into" the account with a shorter
version of the above command:
bash$ sudo -u bar
Well that last bit is supposed to work (the docs say so), but it doesn't,
so they will still have to use the -s. (sorry, I am almost done with a
patch for this bug, if you want it just let me know...)
sudo is a very nice package with lots of logging and options,
I did just notice that it is not part of the distribution, but in the
ports tree here: ports/security/sudo.
I have never used it but super, also in the security category of the
ports tree provides similar functionality.
If you have more questions just ask, BMG
On Fri, Jan 14, 2000 at 12:06:36PM +1100, Nicholas Brawn wrote:
> Hi folks. I'm trying to configure my system so that I can disallow a
> particular user account from being able to login remotely, and forcing
> users to su to the account instead. How may I configure this?
>
> PS. Users may be using anything from telnet to ssh to login to the system,
> so I need something that works across the board.
>
> Cheers,
> Nick
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000116030246.A11734>