From owner-freebsd-security  Thu Jan 13 23:46:42 2000
Delivered-To: freebsd-security@freebsd.org
Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58])
	by hub.freebsd.org (Postfix) with ESMTP id 83E8E150FB
	for <freebsd-security@FreeBSD.ORG>; Thu, 13 Jan 2000 23:46:39 -0800 (PST)
	(envelope-from mike@argos.org)
Received: from localhost (mike@localhost)
	by jason.argos.org (8.9.1/8.9.1) with ESMTP id CAA00340;
	Fri, 14 Jan 2000 02:46:11 -0500
Date: Fri, 14 Jan 2000 02:46:11 -0500 (EST)
From: Mike Nowlin <mike@argos.org>
To: Nicholas Brawn <ncb@zip.com.au>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Disallow remote login by regular user.
In-Reply-To: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au>
Message-ID: <Pine.LNX.4.05.10001140240120.32763-100000@jason.argos.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


> Hi folks. I'm trying to ocnfigure my system so that I can disallow a
> particular user account from being able to login remotely, and forcing
> users to su to the account instead. How may I configure this?

Be careful of your definition of "remotely".  I have several users that
need to telnet into a machine to trigger a program to run, but they're
only allowed to telnet in from certain machines on the local network, and
we don't want them triggering it from home.  /etc/login.conf with a few
extra class entries can be your friend.  With a bit of careful planning,
locking down certain users (or opening it up to certain users) is fairly
easy.  Check the "hosts.{allow|deny}" and "ttys.{allow|deny}" entries in
the man page for login.conf.

--mike




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message