From owner-freebsd-security Mon Oct 18 22:42:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a13b146.neo.rr.com [204.210.197.146]) by hub.freebsd.org (Postfix) with ESMTP id F177415E40 for ; Mon, 18 Oct 1999 22:42:09 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id BAA02766; Tue, 19 Oct 1999 01:41:11 -0400 Date: Tue, 19 Oct 1999 01:41:11 -0400 (EDT) From: Mike Nowlin To: Sue Blake Cc: freebsd-security@FreeBSD.ORG Subject: Re: allowing telnet from locked terminal In-Reply-To: <19991017070610.E12725@welearn.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > That's fine, but I don't want it to be easy for them to see/touch my > other work which they're not interested in anyway. The people are > trustworthy but will be unfamiliar with the machine and could press > random buttons when working in panic mode. Periods away include coffee > breaks, overnight, and weekends. I had a similar problem.... The machines that people needed to get to were all running Linux, so this program was written for that, but I imagine it could be ported over to FreeBSD pretty easily -- I'll take a look. Basically, it keeps track of the console idle times -- if they get to be more than ten minutes, or if the person types "lockup" from the shell, it will do the following: 1) Make a note of the current VC and (if applicable) the user logged in on it 2) Switch to VC 10 (no getty normally running on that one) 3) Send the IOCTL to the kernel that disables VC switching 4) Print "Locked - Password: ", turn off echo, and get a password 5) If the PW matched either root's or the person from step #1, re-enable VC switching and switch back to the VC from step #1, else scan /etc/passwd for a matching one -- if it found one, keep VC switching off, but give a one-time login prompt on VC 10. It has some problems in the total logic of it (there are some "features" that I never bothered to fix), but in the physically restricted environment that these machines are in, it allows people to get in who need to..... --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message