From owner-freebsd-security Fri Jan 14 10:35:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from nu.binary.net (nu.binary.net [12.13.120.25]) by hub.freebsd.org (Postfix) with ESMTP id BC18915713 for ; Fri, 14 Jan 2000 10:32:31 -0800 (PST) (envelope-from nathan@rtfm.net) Received: from matrix.binary.net (root@matrix.binary.net [12.13.120.2]) by nu.binary.net (8.9.1a/8.9.0) with ESMTP id MAA29350; Fri, 14 Jan 2000 12:32:23 -0600 (CST) Received: (from nathan@localhost) by matrix.binary.net (8.9.3/8.9.1) id MAA19443; Fri, 14 Jan 2000 12:32:22 -0600 (CST) Date: Fri, 14 Jan 2000 13:32:22 -0500 From: Nathan Dorfman To: cjclark@home.com Cc: Nicholas Brawn , freebsd-security@FreeBSD.ORG Subject: Re: Disallow remote login by regular user. Message-ID: <20000114133222.A18079@rtfm.net> References: <200001140145.UAA15101@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <200001140145.UAA15101@cc942873-a.ewndsr1.nj.home.com>; from Crist J. Clark on Thu, Jan 13, 2000 at 08:45:20PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 13, 2000 at 08:45:20PM -0500, Crist J. Clark wrote: > Nicholas Brawn wrote, > > Hi folks. I'm trying to ocnfigure my system so that I can disallow a > > particular user account from being able to login remotely, and forcing > > users to su to the account instead. How may I configure this? > > > > PS. Users may be using anything from telnet to ssh to login to the system, > > so I need something that works across the board. > > For anything that is going to call login(1), you can use > /etc/login.access(5). That pretty much eliminates stuff like telnet, > rlogin, and console logins. For SSH, look at the 'AllowUsers' and > 'DenyUsers' keywords for the sshd_conf file on the sshd(8) > manpage. And of course, if ftp(1) is an issue, there is /etc/ftpusers > as described in ftpd(8). You can make sshd use login(1). Set UseLogin to yes in sshd_config. This is (at least sounds like) a good idea just so that login.access(5) and login.conf(5) have their effect. > None of these options, however, should mess with su(1). > -- > Crist J. Clark cjclark@home.com -- Nathan Dorfman The statements and opinions in my Unix Admin @ Frontline Communications public posts are mine, not FCC's. "The light at the end of the tunnel is the headlight of an approaching train." --/usr/games/fortune To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message