On Tue, 7 Nov 2006 15:54:00 -0500
"Dave" <[EMAIL PROTECTED]> wrote:

> Hello,
>     I've got a FreeBSD box that i have a user on who needs special
> console access. I've given him access to what is required, but i do
> not want him to be able to log in from the internet via ssh, telnet,
> or even a serial terminal if possible. Basically if this user isn't
> right in front of the box i don't want him accessing it. Is it
> possible to lock a user out to this extent, i know with ssh i can do
> an AllowGroup option and not put him in the group that would work?
> Thanks.

You should be able to achieve this via the ttys.allow paramter that is
provided by login.conf(5).



with /etc/ttys modified to sth like this:

ttyv0   "/usr/libexec/getty Pc"         cons25  on  group=local secure
# Virtual terminals
ttyv1   "/usr/libexec/getty Pc"         cons25  on  group=local secure
ttyv2   "/usr/libexec/getty Pc"         cons25  on  group=local secure
ttyv3   "/usr/libexec/getty Pc"         cons25  on  group=local secure
ttyv4   "/usr/libexec/getty Pc"         cons25  on  group=local secure
ttyv5   "/usr/libexec/getty Pc"         cons25  on  secure
ttyv6   "/usr/libexec/getty Pc"         cons25  on  secure
ttyv7   "/usr/libexec/getty Pc"         cons25  on  secure

Then switch his login class to local and the policy should be enforced
system wide. The AllowGroups and AllowUsers switches in sshd_config(5)
work fine, but only sshd wide.


might also come handy, allowing access only during the week from 8am to
4pm :)

| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |    0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  X    HTML in email  |        .the next sentence is true.       |
| / \     and news     |     .the previous sentence was a lie.    |

Attachment: signature.asc
Description: PGP signature

Reply via email to