From owner-freebsd-security  Fri Jan 14  8:19:47 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.xmission.com (mail.xmission.com [198.60.22.22])
	by hub.freebsd.org (Postfix) with ESMTP id C98391534E
	for <freebsd-security@freebsd.org>; Fri, 14 Jan 2000 08:19:43 -0800 (PST)
	(envelope-from wes@softweyr.com)
Received: from [204.68.178.39] (helo=softweyr.com ident=wes)
	by mail.xmission.com with esmtp (Exim 3.03 #3)
	id 1299Ro-0008TB-00; Fri, 14 Jan 2000 09:19:37 -0700
Message-ID: <387F4D7C.3C72D334@softweyr.com>
Date: Fri, 14 Jan 2000 09:23:24 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Alexey Zelkin <phantom@cris.net>
Cc: David Wolfskill <dhw@whistle.com>, freebsd-security@FreeBSD.ORG,
	ncb@zip.com.au
Subject: Re: Disallow remote login by regular user.
References: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au> <200001140140.RAA49056@pau-amma.whistle.com> <20000114090718.C16542@scorpion.crimea.ua>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Alexey Zelkin wrote:
> 
> hi,
> 
> On Thu, Jan 13, 2000 at 05:40:56PM -0800, David Wolfskill wrote:
> 
> > >Hi folks. I'm trying to ocnfigure my system so that I can disallow a
> > >particular user account from being able to login remotely, and forcing
> > >users to su to the account instead. How may I configure this?
> >
> > >PS. Users may be using anything from telnet to ssh to login to the system,
>                                                   ^^^
> > >so I need something that works across the board.
> >
> > I find that using '*' as the encrypted password appears to do the job
> > for me.
> 
> It will not fix a problem if user if user have ~/.ssh/identity file :)
> 
> Simplest and dirty way to fix such problems is just changing user shell
> to unexistent one or something like /bin/date :)

Or /bin/nologin, or install the no-login package/port and use /usr/local/bin/
nologin, which will log attempts in syslog for you.


-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message