Date: Thu, 07 Oct 2004 18:29:35 +0100 From: Jim Hatfield <subscriber@insignia.com> To: freebsd-security@freebsd.org Subject: Question restricting ssh access for some users only Message-ID: <cvuam0t1l2u7npnigk6oqrlq288hlu0mgn@4ax.com>
next in thread | raw e-mail | index | archive | help
I've used ssh as a secure telnet up to now but done little else with it. The FreeBSD machines I look after on our internet-facing network all have one account which I connect to for administration. I've set up /etc/hosts.allow on all the machines to only allow ssh from a limited internal network range. Now I want to create a new account on one machine which will be accessible from the Internet as a whole, to be used for tunnelling of SMTP and POP3. I can't predict what the client IP address will be so I will have to remove the hosts.allow restriction. Is there any way I can: - still prevent connections to my admin user from anywhere except a restricted set of addresses - disallow shell access for the new account but still allow tunnelling I think I can solve the first problem by using a new login class and an entry in login.conf, but there may be better ways. I think I can solve the second by giving the new user a shell of /bin/cat (putting that in /etc/shells) but again there may be a neater way. jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cvuam0t1l2u7npnigk6oqrlq288hlu0mgn>