> 1. you can create a local account and disable shell access by setting > the login shell to /bin/false or whatever. that way it is impossible > to login as that user, ever with the password. not exactly what you > wanted but it's close enough for a lot of cases.
If the default of the box is permit-only-a-select-few, rather than deny-only-a-select-few (like a mail server for a company), you may want to use PAM. Create a file, say, /etc/security/local_login_access.conf" +:admin1:ALL +:admin2:ALL +:root:LOCAL .ourcompany.com -:ALL:ALL Then, add something like: account required pam_access.so accessfile=/etc/security/local_login_access.conf to /etc/pam.d/sshd That lets two admins in from anywhere, root in from console or from inside the company, and denies everyone else. -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
