From owner-freebsd-questions@FreeBSD.ORG Sun Mar 14 07:58:07 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76ECB16A4CE for ; Sun, 14 Mar 2004 07:58:07 -0800 (PST) Received: from out009.verizon.net (out009pub.verizon.net [206.46.170.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3735F43D2D for ; Sun, 14 Mar 2004 07:58:07 -0800 (PST) (envelope-from leblanc@keyslapper.org) Received: from keyslapper.org ([151.199.20.199]) by out009.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040314155806.GCNV29216.out009.verizon.net@keyslapper.org>; Sun, 14 Mar 2004 09:58:06 -0600 Received: from keyslapper.org (localhost [127.0.0.1]) by keyslapper.org (8.12.8p1/8.12.8) with ESMTP id i2EFw7nB049297; Sun, 14 Mar 2004 10:58:07 -0500 (EST) (envelope-from leblanc@keyslapper.org) Received: (from leblanc@localhost) by keyslapper.org (8.12.8p1/8.12.8/Submit) id i2EFw5Z1049296; Sun, 14 Mar 2004 10:58:05 -0500 (EST) Date: Sun, 14 Mar 2004 10:58:05 -0500 From: Louis LeBlanc To: Lars Eighner Message-ID: <20040314155805.GB49058@keyslapper.org> Mail-Followup-To: Lars Eighner , FreeBSD Questions References: <20040313180447.GA25158@keyslapper.org> <20040313162259.W74681@goodwill.io.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040313162259.W74681@goodwill.io.com> User-Agent: Mutt/1.5.6i X-Authentication-Info: Submitted using SMTP AUTH at out009.verizon.net from [151.199.20.199] at Sun, 14 Mar 2004 09:58:06 -0600 cc: FreeBSD Questions Subject: Re: user setup question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Mar 2004 15:58:07 -0000 On 03/13/04 04:29 PM, Lars Eighner sat at the `puter and typed: > On Sat, 13 Mar 2004, Louis LeBlanc wrote: > > > I have an odd question. > > > > I need to add a user to a system, but I don't want this user to be > > able to log in from outside - meaning only from the console itself. > > > > I know root is set up this way, but I'm not sure how to do this. > > > > Any pointers? > > > > TIA > > Lou > > > > see login.access file in /etc, also man 5 login.access > > You can restrict the user to logging in only from the console, > or to logging in only locally. I suppect you really do not mean > to restrict the user to logging in only at the console, but that > you mean the user should be able to log into to any local terminal. That is exactly what I'm trying to do. I did find the login.access file, but it didn't seem to work. I set the user up as follows: -:userid:ALL EXCEPT LOCAL which I understand is the correct syntax. Problem is how to get it to take effect without a reboot. The manpage doesn't say anything about restarting or HUPing a process - like you would inetd after changing inetd.conf. A quick Google revealed that sshd doesn't honor the login.access by default. I set UseLogin to 'yes' in /etc/ssh/sshd_config, HUPed sshd, and it seems to work fine. Seems to me this should be cause for concern. Why would sshd ignore login.access by default? Shouldn't all shell access methods honor any form of access restriction by default? Thanks. Lou -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Recursion n.: See Recursion. -- Random Shack Data Processing Dictionary