From owner-freebsd-questions@FreeBSD.ORG  Wed Oct  8 20:23:04 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 503441065692
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Oct 2008 20:23:04 +0000 (UTC)
	(envelope-from lists@rhavenn.net)
Received: from smtp144.sat.emailsrvr.com (smtp144.sat.emailsrvr.com
	[66.216.121.144])
	by mx1.freebsd.org (Postfix) with ESMTP id 2D6578FC0C
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Oct 2008 20:23:03 +0000 (UTC)
	(envelope-from lists@rhavenn.net)
Received: from relay4.relay.sat.mlsrvr.com (localhost [127.0.0.1])
	by relay4.relay.sat.mlsrvr.com (SMTP Server) with ESMTP id 1D00127B406; 
	Wed,  8 Oct 2008 16:23:02 -0400 (EDT)
Received: by relay4.relay.sat.mlsrvr.com (Authenticated sender:
	rhavenn-AT-rhavenn.net) with ESMTP id 4551F27B3F3; 
	Wed,  8 Oct 2008 16:23:01 -0400 (EDT)
From: Henrik Hudson <lists@rhavenn.net>
To: freebsd-questions@freebsd.org
Date: Wed, 8 Oct 2008 12:22:57 -0800
User-Agent: KMail/1.10.1 (FreeBSD/7.1-PRERELEASE; KDE/4.1.1; i386; ; )
References: <200810081942.m98JgvvH006080@dc.cis.okstate.edu>
In-Reply-To: <200810081942.m98JgvvH006080@dc.cis.okstate.edu>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200810081222.58010.lists@rhavenn.net>
Cc: Martin McCormick <martin@dc.cis.okstate.edu>
Subject: Re: Can an Account be Locked out for ssh but allow su?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: lists@rhavenn.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2008 20:23:04 -0000

On Wednesday 08 October 2008, Martin McCormick <martin@dc.cis.okstate.edu> 
sent a missive stating: 
> 	Is there a way to configure an account such that one can
> su - this-account from another login on the system, but not ssh
> directly in to it from the outside, similar to the way root
> works if you set the terminal type in /etc/ttys to insecure?

Check the sshd_config man page for AllowUsers and DenyUsers directives. THis 
should do what you want.

Henrik
-- 
Henrik Hudson
lists@rhavenn.net
------------------------------
"God, root, what is difference?" Pitr; UF (http://www.userfriendly.org/)