Date: Thu, 10 Jul 2003 01:58:13 +0100 From: lewiz <purple@lewiz.info> To: Charley <bsd@agileemmy.com> Cc: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: Restricting logins by terminal Message-ID: <20030710005813.GE15523@lewiz.org> In-Reply-To: <20030709171406.M49360@agileemmy.com> References: <20030709171406.M49360@agileemmy.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Wed, Jul 09, 2003 at 01:14:06PM -0400, Charley wrote: > I would like to restrict user login based on the terminal where the login > request originates. Ideally, I want Root, and ONLY Root, to be able to log > in at the console. The system is already running SSHD, so I want to be able That's more than possible. Take a look at /etc/login.access and /etc/login.conf. In login.access a simple: -:ALL EXCEPT root # taken from the examples near the end (which actual use groups) should do the trick. > to check logins via SSH. Root should not be allowed to log in from a remote That's all defined in your sshd config (by default root cannot login via sshd). If you're really paranoid, the second example in login.access: -:root:ALL EXCEPT LOCAL # instead of considering root, the ``wheel'' group might be better. > terminal and SU should be disabled for any remote terminal. Is there By default, only members of the wheel group can su to root. > something in the ports collection that I've missed that will do this? Maybe > I'm just blind and haven't yet seen something like this in the manual. Well, I don't know exactly what you want to do... but ``su'' is setuid root, so you could unset that and use the ``sudo'' command. Take a look at security/sudo in the ports collection. That'd be quite contrived though. Best wishes, -lewiz. P.S. Some of my examples might not work -- I didn't test them and I'm shocking for getting things to work first time. -- "Why was I born with such contemporaries?" -- Oscar Wilde ------------------------------------------------------------------------ -| msn:purple@lewiz.net | jab:lewiz@jabber.org | url:http://lewiz.net |- [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/DLolItq0KFQv7T8RAg5eAKCdjeq8dzEtQjXGFTRlkBPdJYyu8wCfeXqj C1dRkSfF7DEOvG8BTOUlfGU= =tg+e -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030710005813.GE15523>