From owner-freebsd-security Sat Oct 16 21:30:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id 1B9AD14C07 for ; Sat, 16 Oct 1999 21:30:28 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #2) id 11chxi-0001mI-00; Sat, 16 Oct 1999 22:30:27 -0600 Message-ID: <38093B73.31647DB3@softweyr.com> Date: Sat, 16 Oct 1999 20:58:59 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Sue Blake Cc: freebsd-security@FreeBSD.ORG Subject: Re: allowing telnet from locked terminal References: <19991017070610.E12725@welearn.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sue Blake wrote: > > I use a machine in a fairly secure area. When I'm away, if someone > rushes in to respond to a crisis they will want to use my machine to > telnet (and maybe ping) to another. > > That's fine, but I don't want it to be easy for them to see/touch my > other work which they're not interested in anyway. The people are > trustworthy but will be unfamiliar with the machine and could press > random buttons when working in panic mode. Periods away include coffee > breaks, overnight, and weekends. First, you need a "watchdog" program that can lock(1) the terminal if it is idle for more than a few minutes, so passers by won't be able to inter- act with your forgotten login session. I didn't find one in my 2-minute search of my 3.1-R system, but that doesn't mean one doesn't exist. There was one for Missed'em V floating about the net in the late 80's, called "untamo". Happy hunting. > Is there some quick way to remove convenient access to all but one > virtual console whenever I leave the room? > > How safe and practical would it be to set up a user who is only > allowed to execute telnet and ping, or better whose shell is a script > offering a dialog(1) menu, and leave that user always logged in? You could perhaps just have init launch the dialog on ttyv0 and not provide a login account to casual users. Tell your users to hit Alt-F1 if they don't see what they expect when they walk up to the system. A compiled, suid, chroot program would be an ideal candidate for the program to be run by init; it could simply start the dialog(1) script. Let me know if you need such a program; I'll be happy to throw it together for you. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message