On Tue, 2007-03-13 at 18:12 -0600, Doran L. Barton wrote: > Not long ago, Chris Carey proclaimed... > > You can specifically deny SSH logins to that account by editing > > /etc/ssh/sshd_config > > See the DenyUsers directive in the sshd_config(5) man page.
The problem with DenyUsers is that it put a finger in the dike, but
other leaks might appear. What if a junior admin turns telnet on? What
an less than trust worthy user with a local account decides to have a
little fun?
DenyUsers is black listing and may be part of a complete security
implementation, but AllowUsers is going to be more secure because it
uses white listing instead. Both do nothing to secur other channels,
however.
Best is to leave the user's shell as /bin/nologin and use "su -l -s -c"
or else sudo as Scott & Chris have suggested.
BTW: You'll probably want to set the user's password field back to
something impossible like "*" or "!".
--
Stuart Jansen e-mail/jabber: [EMAIL PROTECTED]
google talk: [EMAIL PROTECTED]
"However beautiful the strategy, you should occasionally look at
the results." -- Winston Churchill
signature.asc
Description: This is a digitally signed message part
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
