Re: user setup question
On Sun, Mar 14, 2004 at 10:58:05AM -0500, Louis LeBlanc wrote: > On 03/13/04 04:29 PM, Lars Eighner sat at the `puter and typed: > > On Sat, 13 Mar 2004, Louis LeBlanc wrote: > > [..] > That is exactly what I'm trying to do. I did find the login.access > file, but it didn't seem to work. > > I set the user up as follows: > -:userid:ALL EXCEPT LOCAL > > which I understand is the correct syntax. Problem is how to get it to > take effect without a reboot. The manpage doesn't say anything about > restarting or HUPing a process - like you would inetd after changing > inetd.conf. > > A quick Google revealed that sshd doesn't honor the login.access by > default. I set UseLogin to 'yes' in /etc/ssh/sshd_config, HUPed sshd, > and it seems to work fine. > > Seems to me this should be cause for concern. Why would sshd ignore > login.access by default? Shouldn't all shell access methods honor any > form of access restriction by default? > Because not all OSes have login.access, openssh runs on many platforms like linux which has no login.access. Does openbsd have a login.access? Since that is it's native os then that gives even more reason. And, for security reasons openssh uses it's own login procedure and doesn't trust the systems login command. By adding UseLogin true, it will use the system login command which, of course, obeys all the system policies like login.allow. > Thanks. > Lou > -- > Louis LeBlanc [EMAIL PROTECTED] > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://www.keyslapper.org > > Recursion n.: > See Recursion. > -- Random Shack Data Processing Dictionary > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > !DSPAM:40548205229492008732744! > -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C pgp0.pgp Description: PGP signature
Re: user setup question
On 03/13/04 04:29 PM, Lars Eighner sat at the `puter and typed: > On Sat, 13 Mar 2004, Louis LeBlanc wrote: > > > I have an odd question. > > > > I need to add a user to a system, but I don't want this user to be > > able to log in from outside - meaning only from the console itself. > > > > I know root is set up this way, but I'm not sure how to do this. > > > > Any pointers? > > > > TIA > > Lou > > > > see login.access file in /etc, also man 5 login.access > > You can restrict the user to logging in only from the console, > or to logging in only locally. I suppect you really do not mean > to restrict the user to logging in only at the console, but that > you mean the user should be able to log into to any local terminal. That is exactly what I'm trying to do. I did find the login.access file, but it didn't seem to work. I set the user up as follows: -:userid:ALL EXCEPT LOCAL which I understand is the correct syntax. Problem is how to get it to take effect without a reboot. The manpage doesn't say anything about restarting or HUPing a process - like you would inetd after changing inetd.conf. A quick Google revealed that sshd doesn't honor the login.access by default. I set UseLogin to 'yes' in /etc/ssh/sshd_config, HUPed sshd, and it seems to work fine. Seems to me this should be cause for concern. Why would sshd ignore login.access by default? Shouldn't all shell access methods honor any form of access restriction by default? Thanks. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Recursion n.: See Recursion. -- Random Shack Data Processing Dictionary ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: user setup question
On Sat, 13 Mar 2004, Louis LeBlanc wrote: > I have an odd question. > > I need to add a user to a system, but I don't want this user to be > able to log in from outside - meaning only from the console itself. > > I know root is set up this way, but I'm not sure how to do this. > > Any pointers? > > TIA > Lou > see login.access file in /etc, also man 5 login.access You can restrict the user to logging in only from the console, or to logging in only locally. I suppect you really do not mean to restrict the user to logging in only at the console, but that you mean the user should be able to log into to any local terminal. -- Lars Eighner [EMAIL PROTECTED] -finger for geek code- http://www.io.com/~eighner/index.html 8800 N IH35 APT 1191 AUSTIN TX 78753-5266 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: user setup question
I did something like this using a pam module which looked at the tty that the user was coming in on and decided whether or not to authorize the login. In my case I was also interested in not allowing users to login from the Internet but still be allowed to login from the internal network. Try a man -k pam and follow the pages ... --Chuck At 10:04 AM 3/13/2004, Louis LeBlanc wrote: I have an odd question. I need to add a user to a system, but I don't want this user to be able to log in from outside - meaning only from the console itself. I know root is set up this way, but I'm not sure how to do this. Any pointers? TIA Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Mediocrity finds safety in standardization. -- Frederick Crane ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: user setup question.
> I need to add a user to a system, but I don't want this user to be > able to log in from outside - meaning only from the console itself. > > I know root is set up this way, but I'm not sure how to do this. Even for the root account, I think it depends of the configuration of the software used to connect from the outside (ssh, etc.). > Any pointers? I don't know if it is the best way to achieve this, but setting the 'ttys.allow' capability of login.conf(5) to 'ttyv0' may help. 1/ Don't set it to 'console'... or be prepared to boot on LiveCD to correct the situation :) 2/ It may be better not to use the 'default' class. -- -jpeg. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: user setup question.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | I have an odd question. | | I need to add a user to a system, but I don't want this user to be | able to log in from outside - meaning only from the console itself. | | I know root is set up this way, but I'm not sure how to do this. Even for the root account, I think it depends of the configuration of the software used to connect from the outside (ssh, etc.). | Any pointers? I don't know if it is the best way to achieve this, but setting the 'ttys.allow' capability of login.conf(5) to 'ttyv0' may help. ~ 1/ Don't set it to 'console'... or be prepared to boot on LiveCD ~ to correct the situation :) ~ 2/ It may be better not to use the 'default' class. - -- - -jpeg. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAU2OctwbGgPtqszARAqAZAJ4+VCHU4SP+WajwJTHq+//Xme/G5QCeOBx8 3CahPRYc3GvA1Iy6qu30+bY= =sNz+ -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"