From owner-freebsd-questions@FreeBSD.ORG Wed Oct 8 19:42:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE6481065690 for ; Wed, 8 Oct 2008 19:42:58 +0000 (UTC) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.103.93]) by mx1.freebsd.org (Postfix) with ESMTP id 6A5FA8FC08 for ; Wed, 8 Oct 2008 19:42:58 +0000 (UTC) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.14.2/8.13.8) with ESMTP id m98JgvvH006080 for ; Wed, 8 Oct 2008 14:42:57 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200810081942.m98JgvvH006080@dc.cis.okstate.edu> To: freebsd-questions@freebsd.org Date: Wed, 08 Oct 2008 14:42:57 -0500 From: Martin McCormick Subject: Can an Account be Locked out for ssh but allow su? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 19:42:58 -0000 Is there a way to configure an account such that one can su - this-account from another login on the system, but not ssh directly in to it from the outside, similar to the way root works if you set the terminal type in /etc/ttys to insecure? The idea is to make a common place for group projects but know who logged in and su'd in to this common space. We don't care if they logged in as themselves via ssh but we do care if they log in as this common user because we then don't know who accidentally deleted all the files or whatever accident one can imagine. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group