From owner-freebsd-security  Mon Mar  6 11:20:37 2000
Delivered-To: freebsd-security@freebsd.org
Received: from foobar.franken.de (foobar.franken.de [194.94.249.81])
	by hub.freebsd.org (Postfix) with ESMTP id 2054A37BFA4
	for <freebsd-security@FreeBSD.ORG>; Mon,  6 Mar 2000 11:20:33 -0800 (PST)
	(envelope-from logix@foobar.franken.de)
Received: (from logix@localhost)
	by foobar.franken.de (8.8.8/8.8.5) id UAA25081;
	Mon, 6 Mar 2000 20:20:36 +0100 (CET)
Message-ID: <20000306202036.A24878@foobar.franken.de>
Date: Mon, 6 Mar 2000 20:20:36 +0100
From: Harold Gutch <logix@foobar.franken.de>
To: Alex Michlin <alex@delete.org>, freebsd-security@FreeBSD.ORG
Subject: Re: Host Secured Logon
References: <Pine.BSF.4.10.10003061312330.42706-100000@cx638115-b.sthngtn1.ct.home.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.BSF.4.10.10003061312330.42706-100000@cx638115-b.sthngtn1.ct.home.com>; from Alex Michlin on Mon, Mar 06, 2000 at 01:15:06PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Mar 06, 2000 at 01:15:06PM -0500, Alex Michlin wrote:
> Hey all!
> 
> Is there an easy way to secure shell accounts with the hostname of the
> user (ie, only someone from *.anyisp.com can logon to shell1, and
> *.myisp.com can logon to any shell)?

(I'm assuming "shell" and "shell1" are two different machines,
 not two shells [as in tcsh, bash, ksh etc.])

Hostnames are in the hands of the DNS-administrator for this
specific network.  I'd rather setup limits based on IP-addresses.

Both can be done using TCP-wrappers ("man 5 hosts_access") using
/etc/hosts.allow and /etc/hosts.deny.
You will only be able to tighten up your _own_ services like
this;  a user will always be able to login from a "trusted" host,
install his own sshd on an unpriviliged port and then login from
anywhere to _his_ sshd.


> Also, is there any good resource where I can find which settings do what
> in the /etc/login.conf? 

"man login.conf"?

bye,
  Harold

-- 
Someone should do a study to find out how many human life spans have
been lost waiting for NT to reboot.
              Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message