Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 Oct 1999 00:17:02 -0600
From:      Wes Peters <wes@softweyr.com>
To:        Mike Nowlin <mike@argos.org>
Cc:        Sue Blake <sue@welearn.com.au>, freebsd-security@FreeBSD.ORG
Subject:   Re: allowing telnet from locked terminal
Message-ID:  <380C0CDE.7F70EB71@softweyr.com>
References:  <Pine.LNX.4.05.9910190130290.2563-100000@jason.argos.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Mike Nowlin wrote:
> 
> > That's fine, but I don't want it to be easy for them to see/touch my
> > other work which they're not interested in anyway. The people are
> > trustworthy but will be unfamiliar with the machine and could press
> > random buttons when working in panic mode. Periods away include coffee
> > breaks, overnight, and weekends.
> 
> I had a similar problem....  The machines that people needed to get to
> were all running Linux, so this program was written for that, but I
> imagine it could be ported over to FreeBSD pretty easily -- I'll take a
> look.
> 
> Basically, it keeps track of the console idle times -- if they get to be
> more than ten minutes, or if the person types "lockup" from the shell, it
> will do the following:
> 
> 1)  Make a note of the current VC and (if applicable) the user logged in
> on it
> 2)  Switch to VC 10 (no getty normally running on that one)

This part blows up if you don't have 10 virtual consoles configured.

> 3)  Send the IOCTL to the kernel that disables VC switching
> 4)  Print "Locked - Password: ", turn off echo, and get a password
> 5)  If the PW matched either root's or the person from step #1, re-enable
> VC switching and switch back to the VC from step #1, else scan /etc/passwd
> for a matching one -- if it found one, keep VC switching off, but give a
> one-time login prompt on VC 10.
> 
> It has some problems in the total logic of it (there are some "features"
> that I never bothered to fix), but in the physically restricted
> environment that these machines are in, it allows people to get in who
> need to.....

Programmatically su'ing to the user and running 'lock -p -n' on the idle
session will do admirably.  If the idle session is running an X server,
substitute xlock.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?380C0CDE.7F70EB71>