From owner-freebsd-security  Sun Jan 16  9:55:48 2000
Delivered-To: freebsd-security@freebsd.org
Received: from intranova.net (blacklisted.intranova.net [209.3.31.70])
	by hub.freebsd.org (Postfix) with SMTP id 0E7C114FC2
	for <freebsd-security@FreeBSD.ORG>; Sun, 16 Jan 2000 09:55:46 -0800 (PST)
	(envelope-from oogali@intranova.net)
Received: (qmail 17986 invoked from network); 16 Jan 2000 12:57:54 -0000
Received: from hydrant.intranova.net (user21945@209.201.95.10)
  by blacklisted.intranova.net with SMTP; 16 Jan 2000 12:57:54 -0000
Date: Sun, 16 Jan 2000 12:53:06 -0500 (EST)
From: Omachonu Ogali <oogali@intranova.net>
To: Wes Peters <wes@softweyr.com>
Cc: Alexey Zelkin <phantom@cris.net>,
	David Wolfskill <dhw@whistle.com>, freebsd-security@FreeBSD.ORG,
	ncb@zip.com.au
Subject: Re: Disallow remote login by regular user.
In-Reply-To: <387F4D7C.3C72D334@softweyr.com>
Message-ID: <Pine.BSF.4.10.10001161251310.78224-100000@hydrant.intranova.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

That isn't even needed, just set the shell to a nonexistant shell. So it
won't work with ftp (ftp requires a valid shell in /etc/shells), ssh (ssh
follows the same suit as ftp), and telnet will probably let them login and
immediately log them out because it's going to return an error after
executing the shell.

Omachonu Ogali
Intranova Networking Group

On Fri, 14 Jan 2000, Wes Peters wrote:

> Alexey Zelkin wrote:
> > 
> > hi,
> > 
> > On Thu, Jan 13, 2000 at 05:40:56PM -0800, David Wolfskill wrote:
> > 
> > > >Hi folks. I'm trying to ocnfigure my system so that I can disallow a
> > > >particular user account from being able to login remotely, and forcing
> > > >users to su to the account instead. How may I configure this?
> > >
> > > >PS. Users may be using anything from telnet to ssh to login to the system,
> >                                                   ^^^
> > > >so I need something that works across the board.
> > >
> > > I find that using '*' as the encrypted password appears to do the job
> > > for me.
> > 
> > It will not fix a problem if user if user have ~/.ssh/identity file :)
> > 
> > Simplest and dirty way to fix such problems is just changing user shell
> > to unexistent one or something like /bin/date :)
> 
> Or /bin/nologin, or install the no-login package/port and use /usr/local/bin/
> nologin, which will log attempts in syslog for you.
> 
> 
> -- 
>             "Where am I, and what am I doing in this handbasket?"
> 
> Wes Peters                                                         Softweyr LLC
> wes@softweyr.com                                           http://softweyr.com/
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message