On Tue, 7 Nov 2006 15:54:00 -0500
Dave [EMAIL PROTECTED] wrote:
Hello,
I've got a FreeBSD box that i have a user on who needs special
console access. I've given him access to what is required, but i do
not want him to be able to log in from the internet via ssh, telnet,
or even a serial terminal if possible. Basically if this user isn't
right in front of the box i don't want him accessing it. Is it
possible to lock a user out to this extent, i know with ssh i can do
an AllowGroup option and not put him in the group that would work?
Thanks.
You should be able to achieve this via the ttys.allow paramter that is
provided by login.conf(5).
Either
local:\
:ttys.allow=ttyv0,ttyv1,ttyv2,ttyv3,ttyv4:\
:tc=default:
or
local:\
:ttys.allow=local:\
:tc=default:
with /etc/ttys modified to sth like this:
ttyv0 /usr/libexec/getty Pc cons25 on group=local secure
# Virtual terminals
ttyv1 /usr/libexec/getty Pc cons25 on group=local secure
ttyv2 /usr/libexec/getty Pc cons25 on group=local secure
ttyv3 /usr/libexec/getty Pc cons25 on group=local secure
ttyv4 /usr/libexec/getty Pc cons25 on group=local secure
ttyv5 /usr/libexec/getty Pc cons25 on secure
ttyv6 /usr/libexec/getty Pc cons25 on secure
ttyv7 /usr/libexec/getty Pc cons25 on secure
Then switch his login class to local and the policy should be enforced
system wide. The AllowGroups and AllowUsers switches in sshd_config(5)
work fine, but only sshd wide.
:times.allow=MoTuWeThFr0800-1600:\
might also come handy, allowing access only during the week from 8am to
4pm :)
Joerg
--
| /\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
| XHTML in email |.the next sentence is true. |
| / \ and news | .the previous sentence was a lie.|
signature.asc
Description: PGP signature
