Re: Limiting access to website ???
On Sat, 2003-10-04 at 18:34, Michael D Schleif wrote: [...] While on this subject, what do you recommend for us to become a CA? `apt-cache search certificate' shows only pyca -- is that adequate? What are the considerations for becoming a CA? I just use openssl for our ca, I have written a few small shell scripts to keep from having to remember the parameters, but it is really quite straightforward. I would recommend the following online book: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm for an overview of how to do this. Especially this section: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/initialisation.htm -Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Limiting access to website ???
We are working on a web-based application. It will use mod_ssl to secure transactions. We want to limit access to the application. Yes, we have username/password authentication; but, we are also considering host-based limits. Can this be done with [mod_]ssl? Can access to a website require a certificate on the browser side? If so, please, point me in the right direction (e.g., URL's, documentation, applications, c.) What do you think? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: Limiting access to website ???
Michael D Schleif [EMAIL PROTECTED] said, We are working on a web-based application. It will use mod_ssl to secure transactions. We want to limit access to the application. Yes, we have username/password authentication; but, we are also considering host-based limits. Can this be done with [mod_]ssl? Can access to a website require a certificate on the browser side? If so, please, point me in the right direction (e.g., URL's, documentation, applications, c.) Dare I suggest www.apache.org? What do you think? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- -- Aaron Bieber - Graphic Design // Web Design http://www.fisheyemultimedia.com/ [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Limiting access to website ???
On Sat, Oct 04, 2003 at 12:50:39PM -0500, Michael D Schleif wrote: We are working on a web-based application. It will use mod_ssl to secure transactions. We want to limit access to the application. Yes, we have username/password authentication; but, we are also considering host-based limits. Can this be done with [mod_]ssl? No, but it can be done with apache, which is what I presume you are using. Can access to a website require a certificate on the browser side? Yes. If so, please, point me in the right direction (e.g., URL's, documentation, applications, c.) http://httpd.apache.org/ -- Dave Carrigan Seattle, WA, USA [EMAIL PROTECTED] | http://www.rudedog.org/ | ICQ:161669680 UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL signature.asc Description: Digital signature
Re: Limiting access to website ???
Aaron [EMAIL PROTECTED] [2003:10:04:15:02:38-0400] scribed: Michael D Schleif [EMAIL PROTECTED] said, We are working on a web-based application. It will use mod_ssl to secure transactions. We want to limit access to the application. Yes, we have username/password authentication; but, we are also considering host-based limits. Can this be done with [mod_]ssl? Can access to a website require a certificate on the browser side? If so, please, point me in the right direction (e.g., URL's, documentation, applications, c.) Dare I suggest www.apache.org? Yes, you may. I have reacquainted myself with this: http://httpd.apache.org/docs/misc/FAQ.html#dnsauth However, I am wondering whether or not this can be done with SSL-type certificates? I admit that I have not gone completely through all of the mod_auth* alternatives . . . I am clear how SSL certificates establish trust -- client/browser trust of the remote webserver/application. Can this be inverted? Can the webserver/application establish trust of the client/browser via certificates, or something similar? We are looking for some authentication of the client side that does *not* require userland interaction. If this is google-able, please, help me with search criteria . . . What do you think? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: Limiting access to website ???
Dave Carrigan [EMAIL PROTECTED] [2003:10:04:12:31:02-0700] scribed: On Sat, Oct 04, 2003 at 12:50:39PM -0500, Michael D Schleif wrote: We are working on a web-based application. It will use mod_ssl to secure transactions. We want to limit access to the application. Yes, we have username/password authentication; but, we are also considering host-based limits. Can this be done with [mod_]ssl? No, but it can be done with apache, which is what I presume you are using. Can access to a website require a certificate on the browser side? Yes. If so, please, point me in the right direction (e.g., URL's, documentation, applications, c.) http://httpd.apache.org/ What am I missing? I have read this: http://httpd.apache.org/docs/howto/auth.html As I responded to Aaron's message, we are looking for some kind of passive authentication, like an SSL Certificate. We do not want to have to rely on humans remembering another username/password, especially since the web application already has that control. We do not want the complications intrinsic to an httpd.conf embedded ACL. I know that I appear to be hung up on SSL Certificates; but, that model appears to meet our needs -- if only I can find the requisite documentation. Yes, two of you have suggested apache.org, and that is helpful. Nevertheless, I have not found what I am looking for on their site. Can you point me to a more specific URL? What do you think? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: Limiting access to website ???
On Sat, Oct 04, 2003 at 02:56:14PM -0500, Michael D Schleif wrote: As I responded to Aaron's message, we are looking for some kind of passive authentication, like an SSL Certificate. We do not want to have to rely on humans remembering another username/password, especially since the web application already has that control. We do not want the complications intrinsic to an httpd.conf embedded ACL. I know that I appear to be hung up on SSL Certificates; but, that model appears to meet our needs -- if only I can find the requisite documentation. Have you tried google ? http://www.google.com/search?q=apache+certificate+authentication Using that, I found http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 which seems to be about what you want to do Frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Limiting access to website ???
Frank Gevaerts [EMAIL PROTECTED] [2003:10:04:22:25:54+0200] scribed: On Sat, Oct 04, 2003 at 02:56:14PM -0500, Michael D Schleif wrote: As I responded to Aaron's message, we are looking for some kind of passive authentication, like an SSL Certificate. We do not want to have to rely on humans remembering another username/password, especially since the web application already has that control. We do not want the complications intrinsic to an httpd.conf embedded ACL. I know that I appear to be hung up on SSL Certificates; but, that model appears to meet our needs -- if only I can find the requisite documentation. Have you tried google ? http://www.google.com/search?q=apache+certificate+authentication Using that, I found http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 which seems to be about what you want to do OK, this section is what I need -- thank you: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 Correct me if I am wrong; but, this is the process? [1] One (1) Certificate per client/browser authenticates *both* the server to the client, and the client to the server; and [2] Each client/browser can have *either* a unique client-specific Certificate, or each client/browser can have a Certificate _common_ to a group, for purposes of authentication in point [1]. [3] Will we need to become our own Certificate Authority, or would this work just as well with self-signed Certificates, and without any upline authority? Once I am clear on these points, I can go back to openssl, build some Certificates and test, test, test . . . What do you think? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: Limiting access to website ???
On Sat, Oct 04, 2003 at 04:25:57PM -0500, Michael D Schleif wrote: OK, this section is what I need -- thank you: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 Correct me if I am wrong; but, this is the process? [1] One (1) Certificate per client/browser authenticates *both* the server to the client, and the client to the server; and The server will need its own certificate with a CN of the server's hostname. [2] Each client/browser can have *either* a unique client-specific Certificate, or each client/browser can have a Certificate _common_ to a group, for purposes of authentication in point [1]. I suspect that you would be better off generating a certificate for each client, but that probably depends on your requirements. [3] Will we need to become our own Certificate Authority, or would this work just as well with self-signed Certificates, and without any upline authority? You will need to be a CA, and the both the server cert and the clients' certs will need to be signed by that CA. In addition, the server config needs to point to the CA's cert so that it can verify the clients' certs. The clients should have the CA's cert installed as well or else each client will complain when they connect because they don't recognize the server's certificate signer. This isn't strictly necessary, as long as your users can be trained to permanently accept the unknown cert the first time they connect. Note that all this could become very onerous if your application isn't targeted at a closed group of users (i.e., it's something on the Internet). -- Dave Carrigan Seattle, WA, USA [EMAIL PROTECTED] | http://www.rudedog.org/ | ICQ:161669680 UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL signature.asc Description: Digital signature
Re: Limiting access to website ???
Dave Carrigan [EMAIL PROTECTED] [2003:10:04:15:15:21-0700] scribed: On Sat, Oct 04, 2003 at 04:25:57PM -0500, Michael D Schleif wrote: OK, this section is what I need -- thank you: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 Correct me if I am wrong; but, this is the process? [1] One (1) Certificate per client/browser authenticates *both* the server to the client, and the client to the server; and The server will need its own certificate with a CN of the server's hostname. Yes, of course; but, thank you for pointing it out. [2] Each client/browser can have *either* a unique client-specific Certificate, or each client/browser can have a Certificate _common_ to a group, for purposes of authentication in point [1]. I suspect that you would be better off generating a certificate for each client, but that probably depends on your requirements. OK [3] Will we need to become our own Certificate Authority, or would this work just as well with self-signed Certificates, and without any upline authority? You will need to be a CA, and the both the server cert and the clients' certs will need to be signed by that CA. In addition, the server config needs to point to the CA's cert so that it can verify the clients' certs. Yes, this is the kind of detail that I did not guess. While on this subject, what do you recommend for us to become a CA? `apt-cache search certificate' shows only pyca -- is that adequate? What are the considerations for becoming a CA? The clients should have the CA's cert installed as well or else each client will complain when they connect because they don't recognize the server's certificate signer. This isn't strictly necessary, as long as your users can be trained to permanently accept the unknown cert the first time they connect. Note that all this could become very onerous if your application isn't targeted at a closed group of users (i.e., it's something on the Internet). The point is to allow only a select group access to the application; access which may or may not go across the Internet. One level of security would be this passive approach, whereby if the client does not present an acceptable certificate upon connection to the server, the server will not respond to the client's requests with access to the application. If the client presents an acceptable certificate, then the server will invoke other access and authentication processes. Thank you, for your insightful responses . . . -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Limiting access to bad URLs
Under woody I've setup a small server using Squid proxy and diald. Now, because the Internet will be used by children I don't want them to access pornographic material so in squid.conf I put the following (some words are in Italian): #SQUID.CONF begins exactly here http_port 8080 #We recommend you to use the following two lines. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY #DO NOT ENTER acl niet1 url_regex -i sex acl niet2 url_regex -i sesso acl niet3 url_regex -i porn http_access deny niet1 http_access deny niet2 http_access deny niet3 SNIP I have tried with two Italian porno sites where in the urls are present the words sesso and porno but nothing prevented squid from loading them. Why? Could you please suggest a well-formed squid.conf to this aim? Vittorio
Re: limiting access
On Sun, 20 Aug 2000 11:18:17 PDT, kmself@ix.netcom.com writes: On Sun, Aug 20, 2000 at 02:11:00AM -0700, kmself@ix.netcom.com wrote: As suggested, the restricted shell. Invoked with rbash or bash -r. =20 This doesn't allow changes to $PATH, users can't cd, and a number of other restrictions exist. You *have* to either point users to a system directory with commands they can use, or create a commands directory for snip If it wasn't apparent, this was the sort of configuration I was advocating. An alternative would be to have some sort of an rbash/bin directory someplace which all restricted users could be pointed at. You'd want to avoid including, for obvious reasons, /bin, /usr/bin, or administrative commands. This is what I was looking for, now all I need is some time, and I´ll see what I can do (to them :). Thanks! cheers, rw -- / Robert Waldner [EMAIL PROTECTED] | Phone: +43 1 89933 0 Fax x533 \ \KPNQwest/AT tech staff| Diefenbachg. 35 A-1150 Wien /
limiting access
Hi! (I´m quite sure that a pointer in the right direction/to the proper FM is all I need.) I have a bunch of luser-accounts on one of my boxes, what I want is to restrict them to their home-dir, with only very special exceptions. Any hints? iirc there is a way to set the root-dir to some other than / , but what´s the command/utility for that? TIA, rw -- / Robert Waldner [EMAIL PROTECTED] | Phone: +43 1 89933 0 Fax x533 \ \KPNQwest/AT tech staff| Diefenbachg. 35 A-1150 Wien /
Re: limiting access
On Sun, 20 Aug 2000, Robert Waldner wrote: I have a bunch of luser-accounts on one of my boxes, what I want is to restrict them to their home-dir, with only very special exceptions. You probably want to use rsh, the restricted shell (as opposed to rsh the remote shell). Any hints? iirc there is a way to set the root-dir to some other than / , but what?s the command/utility for that? chroot. But chroot removes the entire portion of the filesystem above where you chrooted to, so your chroot environment has to have its own /usr/bin, its own libraries, its own /etc files... it has to be a fully functioning system in its own right. The most common use for chroot is for anonymous FTP, which is probably the very minimum chroot environment that works. Chroot doesn't guarantee security, as setuid programs within the chroot environment can still give root access, and users can still communicate with non-chroot processes normally. And it is not trivial, but usually pretty easy, for someone getting root access within a chroot jail to get out of it again. The restricted shell can allow you to control precisely what a user does, which can provide a different sort of security.
Re: limiting access
On Sun, Aug 20, 2000 at 10:14:01AM +0200, Robert Waldner wrote: Hi! (I´m quite sure that a pointer in the right direction/to the proper FM is all I need.) I have a bunch of luser-accounts on one of my boxes, what I want is to restrict them to their home-dir, with only very special exceptions. Any hints? iirc there is a way to set the root-dir to some other than / , but what´s the command/utility for that? As suggested, the restricted shell. Invoked with rbash or bash -r. This doesn't allow changes to $PATH, users can't cd, and a number of other restrictions exist. You *have* to either point users to a system directory with commands they can use, or create a commands directory for them. Unlike chroot, rbash allows references to files outside the immediate directory tree, so you can create symlinks to other system files, and you don't have to specially include libraries within the user's environment. rbash environments are often set up with a menu system rather than a full command line. -- Karsten M. Self kmself@ix.netcom.com http://www.netcom.com/~kmself Evangelist, Opensales, Inc.http://www.opensales.org What part of Gestalt don't you understand? Debian GNU/Linux rocks! http://gestalt-system.sourceforge.net/K5: http://www.kuro5hin.org GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0 pgpiLr3osNNsO.pgp Description: PGP signature
Re: limiting access
On Sun, Aug 20, 2000 at 02:11:00AM -0700, kmself@ix.netcom.com wrote: As suggested, the restricted shell. Invoked with rbash or bash -r. This doesn't allow changes to $PATH, users can't cd, and a number of other restrictions exist. You *have* to either point users to a system directory with commands they can use, or create a commands directory for but you can't really include /bin or /usr/bin without allowing the user to trivially break out of the restricted shell: if /bin is in the $PATH then they need to only run `exec bash' to get a real shell without restrictions. if /usr/bin is in the path they can run chsh -s /bin/bash and logout and relogin to get a real shell (or passwd -s /bin/bash) really you have to only have ~/bin in thier PATH and create appropriate symlinks or shell wrappers to the real binaries. i managed to create a very limited environment which allows a user to get directory listings from their $HOME and nowhere else, and to scp files from their $HOME and nowhere else. i did this by writing small shell wrappers to ls to strip off absolute pathnames (ls -l /etc/passwd becomes ls -l passwd) a similar wrapper was written around scp to allow files to be downloaded but only from the home directory. ~/bin is obviously not writable by the user, neither is the home directory. the account is `scp only' (a way to get rid of ftp) i `think' its reletively secure if anyone is interested in seeing my wrapper scripts. them. Unlike chroot, rbash allows references to files outside the immediate directory tree, so you can create symlinks to other system files, and you don't have to specially include libraries within the user's environment. rbash environments are often set up with a menu system rather than a full command line. making a secure and still usable rbash command line interface would probably take just as much time as getting a chroot() login to work (which i also sort of accomplished but it was kludgy and broken) in any event you should make sure your system is secured as if the lusers have ordinary unrestricted shell logins, that way even if your restrictions fail you should still be ok. you should definitly look at /etc/security/limits.conf too. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpZI5xz8yMj2.pgp Description: PGP signature
Re: limiting access
On Sun, Aug 20, 2000 at 01:34:04AM -0800, Ethan Benson wrote: On Sun, Aug 20, 2000 at 02:11:00AM -0700, kmself@ix.netcom.com wrote: As suggested, the restricted shell. Invoked with rbash or bash -r. This doesn't allow changes to $PATH, users can't cd, and a number of other restrictions exist. You *have* to either point users to a system directory with commands they can use, or create a commands directory for but you can't really include /bin or /usr/bin without allowing the user to trivially break out of the restricted shell: if /bin is in the $PATH then they need to only run `exec bash' to get a real shell without restrictions. if /usr/bin is in the path they can run chsh -s /bin/bash and logout and relogin to get a real shell (or passwd -s /bin/bash) really you have to only have ~/bin in thier PATH and create appropriate symlinks or shell wrappers to the real binaries. If it wasn't apparent, this was the sort of configuration I was advocating. An alternative would be to have some sort of an rbash/bin directory someplace which all restricted users could be pointed at. You'd want to avoid including, for obvious reasons, /bin, /usr/bin, or administrative commands. -- Karsten M. Self kmself@ix.netcom.com http://www.netcom.com/~kmself Evangelist, Opensales, Inc.http://www.opensales.org What part of Gestalt don't you understand? Debian GNU/Linux rocks! http://gestalt-system.sourceforge.net/K5: http://www.kuro5hin.org GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0 pgpRL2R7jG3l3.pgp Description: PGP signature
Re: Limiting Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Peter Good [EMAIL PROTECTED] writes: I dunno, I'll look into NIS, but originally I thought Pam would handle it. There is a PAM module that implements what you're looking for. I played around with it for a while, back when I was using RedHat. It worked fine for console logins, but never worked for ssh. I didn't ever figure out why - I just switched to using NIS, since I was using NIS anyway. For FTP, you can play around with its own configuration[1]. In /etc/wu-ftpd/ftpaccess, you can specify which groups are specifically allowed and denied with the 'allow-gid' and 'deny-gid' directives. Have a look at `man ftpaccess` for more detailed information. If you're offering SSH access as an alternative to telnet[2], then you can achieve a similar thing with the 'AllowGroups' and 'DenyGroups' directives. Have a look at `man sshd` for more detailed information. Perhaps you can come across a more fully-featured telnet daemon which will offer the same level of restrictions. [1] I'm thinking about wu-ftpd in particular, but I'm sure others have similar features. [2] Highly recommended. - -- Graeme. [EMAIL PROTECTED] Life's not fair, I reply. But the root password helps. - BOFH -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.1 (GNU/Linux) iD8DBQE5HVTaPjGH3lNt65URAncPAKDHUUOoGEl8jyIgY8h1n7a+Ixz5DACgtZx/ qJmCTCd/c+67yGWN/bDPyKY= =90Jo -END PGP SIGNATURE-
Re: Limiting Access SOLVED
Found out why, missed taking the comment off this # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) account required pam_access.so hehe pays not to work when tired, edited access.conf to suit, and now have telnets to the system managed the way i want them to be :) Thanks for the help all. Pete. -- In the beginning, the universe was created. This made a lot of people very angry, and has been widely regarded as a bad idea. *** *Peter GoodEmail: [EMAIL PROTECTED] *Pete's Internet Services Sales: [EMAIL PROTECTED] * *http://www.petesinternet.net Phone: 0401 283 482* *Morayfield QLD Australia * ***
Re: Limiting Access
Quoth Peter Good, usergrouptelnet ftp access10 no yes access20 no yes shells yes yes allothers yes yes It's a web hosting box, that also hosts shell accounts. the people with webpage packages don't need telnet and all webpage accounts have their own directory structure, eg /home/webpageusers/username Change the shell of the users who you don't want to allow interactive logins (ssh and telnet) to something that will disallow them shell access, such as /bin/true (or /bin/nologin, i think someone once suggested). Add that shell to /etc/shells, so that the ftp daemon will see it as a valid shell and allow them ftp access. I don't know how you'd do it for groups, but this certainly works on a per-user basis. cheers, damon -- Damon Muller ([EMAIL PROTECTED]) / It's not a sense of humor. * Criminologist / It's a sense of irony * Webmeister / disguised as one. * Linux Geek / - Bruce Sterling - Running Debian GNU/Linux: Doing my bit for World Domination (tm) - pgp8YuFUHOsZU.pgp Description: PGP signature
Limiting Access
This may sound like a newbie question but, how do i stop a certian group from accessing my system via telnet? I've played with PAM to no avail, spent the last 3 hours on it in fact. System is 2.2, just need someone to point me in the right direction, if anyone can help, plz lemme know, it's driving me batty lol. Pete. -- In the beginning, the universe was created. This made a lot of people very angry, and has been widely regarded as a bad idea. *** *Peter GoodEmail: [EMAIL PROTECTED] *Pete's Internet Services Sales: [EMAIL PROTECTED] * *http://www.petesinternet.net Phone: 0401 283 482* *Morayfield QLD Australia * ***
Re: Limiting Access
This may sound like a newbie question but, how do i stop a certian group from accessing my system via telnet? I've played with PAM to no avail, spent the last 3 hours on it in fact. System is 2.2, just need someone to point me in the right direction, if anyone can help, plz lemme know, it's driving me batty lol. Pete. If you know the IP address of that group, you can put it into /etc/hosts.deny and deny telnet for them: TELNET:some.bad.host, xxx.xxx.xxx.xxx man hosts_access(5) Andrew - Andrei S. Ivanov [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://arhses.dyndns.org -| http://scorpio.dynodns.net -| http://scorpio.myip.org-| --All the pages bundled together. UIN 12402354 For GPG key, go to above URL/GnuPG -
Re: Limiting Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Peter Good [EMAIL PROTECTED] writes: This may sound like a newbie question but, how do i stop a certian group from accessing my system via telnet? I've played with PAM to no avail, spent the last 3 hours on it in fact. System is 2.2, just need someone to point me in the right direction, if anyone can help, plz lemme know, it's driving me batty lol. The way I do it is through NIS. I'm running a NIS server, with maps for passwd, group and netgroup. If I'm looking to only allow a limited subset of users to a particular box, I change the local /etc/passwd to: root:0:. [EMAIL PROTECTED]:: +::/bin/false You have to make sure that you've got the following entry in /etc/nsswitch.conf: passwd: compat If you want to deny access to a particular netgroup, do the following in /etc/passwd: root:0: - [EMAIL PROTECTED]:/bin/false +:: That's the idea anyway. For a better explanation, do `man passwd`. :) - -- Graeme. [EMAIL PROTECTED] Life's not fair, I reply. But the root password helps. - BOFH -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.1 (GNU/Linux) iD8DBQE5HBz4PjGH3lNt65URAvZ+AKCYS1W2jg7XfyPTPU1MdAqHdpRngQCffTNQ NXx9m8da4YJdbm8W+2PA8/0= =1PYp -END PGP SIGNATURE-
Re: Limiting Access
Graeme had more of an idea of what i'd like to do, what it looks like is thus usergrouptelnet ftp access10 no yes access20 no yes shells yes yes allothers yes yes It's a web hosting box, that also hosts shell accounts. the people with webpage packages don't need telnet and all webpage accounts have their own directory structure, eg /home/webpageusers/username I dunno, I'll look into NIS, but originally I thought Pam would handle it. Pete. If you know the IP address of that group, you can put it into /etc/hosts.deny and deny telnet for them: TELNET:some.bad.host, xxx.xxx.xxx.xxx man hosts_access(5) Andrew -- In the beginning, the universe was created. This made a lot of people very angry, and has been widely regarded as a bad idea. *** *Peter GoodEmail: [EMAIL PROTECTED] *Pete's Internet Services Sales: [EMAIL PROTECTED] * *http://www.petesinternet.net Phone: 0401 283 482* *Morayfield QLD Australia * ***