On Mon, Mar 19, 2001 at 12:24:59PM +0000, Colin Phipps wrote:
>
> You'll have to tie down the telnet options somehow; looking at telnet(1)
> it has options for logging data etc (I'm thinking of one user enabling
> logging to capture other users' passwords).
this restricted account should not have a writable home directory, the
.bashrc files should have a very restricted environment set, along
with a PATH of ~/bin only with a symlink to ssh and maybe telnet.
anyone using the machine should log it all the way out to a getty and
relogin to ensure no aliases or such are employed to cause troubles..
perhaps a better option even is to setup a menu so that interactive
access to the local shell itself is not possible. i would also use
idled to kill the login after a short period of inactivity as that can
help kill any traps a previous luser might try and set. so long as
the entire home directory is owned by root and read-only it shouldn't
be possible to make any persistent changes to the account.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
