From owner-freebsd-security Sun Jan 16 2:39:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from sblake.comcen.com.au (sblake.comcen.com.au [203.23.236.144]) by hub.freebsd.org (Postfix) with ESMTP id 7D67B1525C for ; Sun, 16 Jan 2000 02:39:46 -0800 (PST) (envelope-from aunty@sblake.comcen.com.au) Received: (from aunty@localhost) by sblake.comcen.com.au (8.9.3/8.9.3) id VAA15065 for freebsd-security@FreeBSD.ORG; Sun, 16 Jan 2000 21:41:00 +1100 (EST) (envelope-from aunty) Date: Sun, 16 Jan 2000 21:40:58 +1100 From: aunty To: freebsd-security@FreeBSD.ORG Subject: Re: Disallow remote login by regular user. Message-ID: <20000116214058.D14280@comcen.com.au> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200001140145.UAA15101@cc942873-a.ewndsr1.nj.home.com> <20000114133222.A18079@rtfm.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <20000114133222.A18079@rtfm.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 14, 2000 at 01:32:22PM -0500, Nathan Dorfman wrote: > On Thu, Jan 13, 2000 at 08:45:20PM -0500, Crist J. Clark wrote: > > Nicholas Brawn wrote, > > > Hi folks. I'm trying to ocnfigure my system so that I can disallow a > > > particular user account from being able to login remotely, and forcing > > > users to su to the account instead. How may I configure this? > > > > > > PS. Users may be using anything from telnet to ssh to login to the system, > > > so I need something that works across the board. > > > > For anything that is going to call login(1), you can use > > /etc/login.access(5). That pretty much eliminates stuff like telnet, > > rlogin, and console logins. For SSH, look at the 'AllowUsers' and > > 'DenyUsers' keywords for the sshd_conf file on the sshd(8) > > manpage. And of course, if ftp(1) is an issue, there is /etc/ftpusers > > as described in ftpd(8). > > You can make sshd use login(1). Set UseLogin to yes in sshd_config. This > is (at least sounds like) a good idea just so that login.access(5) and > login.conf(5) have their effect. I have a slightly similar requirement, an authentication server which must carry another machine's password files, but where no logins of any kind are allowed, except root on console and one user from one IP. Telnet and ftp are turned off, ssh is heavily restricted when active, and login.access is there as a backup in case someone "improves" inetd.conf from the console, a real possibility. (Yeah, I know, but moving faeces to higher ground is the reality I have to live with sometimes.) Shells aren't much help. Of course I can't alter the password file, and someone might change installed shells or /etc/shells in the future without realising the security implications. I've seen this happen in the past. The ftpusers file isn't much help in this case. I'd have to enter and maintain thousands of usernames or hundreds of groups. All I can think of as an additional ftp precaution is a cron job to find and delete ftpd. I'm also thinking about having a permanent /var/run/nologin file. Have I missed any other good tricks, particularly for ftp? -- Regards, -*Sue*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message