On Tue, 7 Nov 2006 15:54:00 -0500 "Dave" <[EMAIL PROTECTED]> wrote:
> Hello, > I've got a FreeBSD box that i have a user on who needs special > console access. I've given him access to what is required, but i do > not want him to be able to log in from the internet via ssh, telnet, > or even a serial terminal if possible. Basically if this user isn't > right in front of the box i don't want him accessing it. Is it > possible to lock a user out to this extent, i know with ssh i can do > an AllowGroup option and not put him in the group that would work? > Thanks. You should be able to achieve this via the ttys.allow paramter that is provided by login.conf(5). Either local:\ :ttys.allow=ttyv0,ttyv1,ttyv2,ttyv3,ttyv4:\ :tc=default: or local:\ :ttys.allow=local:\ :tc=default: with /etc/ttys modified to sth like this: ttyv0 "/usr/libexec/getty Pc" cons25 on group=local secure # Virtual terminals ttyv1 "/usr/libexec/getty Pc" cons25 on group=local secure ttyv2 "/usr/libexec/getty Pc" cons25 on group=local secure ttyv3 "/usr/libexec/getty Pc" cons25 on group=local secure ttyv4 "/usr/libexec/getty Pc" cons25 on group=local secure ttyv5 "/usr/libexec/getty Pc" cons25 on secure ttyv6 "/usr/libexec/getty Pc" cons25 on secure ttyv7 "/usr/libexec/getty Pc" cons25 on secure Then switch his login class to local and the policy should be enforced system wide. The AllowGroups and AllowUsers switches in sshd_config(5) work fine, but only sshd wide. :times.allow=MoTuWeThFr0800-1600:\ might also come handy, allowing access only during the week from 8am to 4pm :) Joerg -- | /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a | | \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 | | X HTML in email | .the next sentence is true. | | / \ and news | .the previous sentence was a lie. |
signature.asc
Description: PGP signature