From owner-freebsd-isp@FreeBSD.ORG  Sun Nov 16 19:29:20 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2D21716A4CE
	for <freebsd-isp@freebsd.org>; Sun, 16 Nov 2003 19:29:20 -0800 (PST)
Received: from mail.arc.net.my (nagano.arc.net.my [203.115.225.22])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A373943FB1
	for <freebsd-isp@freebsd.org>; Sun, 16 Nov 2003 19:29:18 -0800 (PST)
	(envelope-from nick@arc.net.my)
Received: from roponggi (roppongi.arc.net.my [203.115.225.83])
 by mail.arc.net.my (iPlanet Messaging Server 5.1 Patch 1 (built Jun  6 2002))
 with SMTP id <0HOH00M4H7P0E7@mail.arc.net.my> for freebsd-isp@freebsd.org;
 Mon, 17 Nov 2003 11:15:00 +0800 (SGT)
Date: Mon, 17 Nov 2003 11:09:48 +0800
From: Nick Kraal <nick@arc.net.my>
To: freebsd-isp@freebsd.org
Message-id: <00a201c3acb8$42c87820$53e173cb@arc.net.my>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
Subject: Login restrictions
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Nick Kraal <nick@arc.net.my>
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2003 03:29:20 -0000

I am trying to create shell accounts on a FreeBSD box for guests to access
our network as an entry point. I need to restrict these guest so they do not
roam freely, get too itchy and install stuff and play around. All they need
to do is to ssh to the box to then telnet into our corporate network, that
is all. ACLs on the corporate router permit access only from this box.

So how do we do this:
1. Jail- how-to's on this are not that clear and seem to be centric around
BIND installations.
2. chroot- again how-to's for this are poor and recommend jail instead -go
to point #1.
3. restricted shell- still finding this, somewhat like the nologin/noshell
shell.

Much appreciated if there are some pointers to good how-to's. I am more
partial to a chroot environment being slightly more simpler to implement.

Thanks in advance.

-nick/