Date: Sat, 16 Oct 1999 20:58:59 -0600 From: Wes Peters <wes@softweyr.com> To: Sue Blake <sue@welearn.com.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: allowing telnet from locked terminal Message-ID: <38093B73.31647DB3@softweyr.com> References: <19991017070610.E12725@welearn.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Sue Blake wrote:
>
> I use a machine in a fairly secure area. When I'm away, if someone
> rushes in to respond to a crisis they will want to use my machine to
> telnet (and maybe ping) to another.
>
> That's fine, but I don't want it to be easy for them to see/touch my
> other work which they're not interested in anyway. The people are
> trustworthy but will be unfamiliar with the machine and could press
> random buttons when working in panic mode. Periods away include coffee
> breaks, overnight, and weekends.
First, you need a "watchdog" program that can lock(1) the terminal if it
is idle for more than a few minutes, so passers by won't be able to inter-
act with your forgotten login session. I didn't find one in my 2-minute
search of my 3.1-R system, but that doesn't mean one doesn't exist. There
was one for Missed'em V floating about the net in the late 80's, called
"untamo". Happy hunting.
> Is there some quick way to remove convenient access to all but one
> virtual console whenever I leave the room?
>
> How safe and practical would it be to set up a user who is only
> allowed to execute telnet and ping, or better whose shell is a script
> offering a dialog(1) menu, and leave that user always logged in?
You could perhaps just have init launch the dialog on ttyv0 and not provide
a login account to casual users. Tell your users to hit Alt-F1 if they don't
see what they expect when they walk up to the system.
A compiled, suid, chroot program would be an ideal candidate for the program
to be run by init; it could simply start the dialog(1) script. Let me know
if you need such a program; I'll be happy to throw it together for you.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38093B73.31647DB3>