From owner-freebsd-security Mon Oct 18 23:17:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id 2FA6A15ED4 for ; Mon, 18 Oct 1999 23:17:12 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #2) id 11dSZz-0004sj-00; Tue, 19 Oct 1999 00:17:04 -0600 Message-ID: <380C0CDE.7F70EB71@softweyr.com> Date: Tue, 19 Oct 1999 00:17:02 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Nowlin Cc: Sue Blake , freebsd-security@FreeBSD.ORG Subject: Re: allowing telnet from locked terminal References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Nowlin wrote: > > > That's fine, but I don't want it to be easy for them to see/touch my > > other work which they're not interested in anyway. The people are > > trustworthy but will be unfamiliar with the machine and could press > > random buttons when working in panic mode. Periods away include coffee > > breaks, overnight, and weekends. > > I had a similar problem.... The machines that people needed to get to > were all running Linux, so this program was written for that, but I > imagine it could be ported over to FreeBSD pretty easily -- I'll take a > look. > > Basically, it keeps track of the console idle times -- if they get to be > more than ten minutes, or if the person types "lockup" from the shell, it > will do the following: > > 1) Make a note of the current VC and (if applicable) the user logged in > on it > 2) Switch to VC 10 (no getty normally running on that one) This part blows up if you don't have 10 virtual consoles configured. > 3) Send the IOCTL to the kernel that disables VC switching > 4) Print "Locked - Password: ", turn off echo, and get a password > 5) If the PW matched either root's or the person from step #1, re-enable > VC switching and switch back to the VC from step #1, else scan /etc/passwd > for a matching one -- if it found one, keep VC switching off, but give a > one-time login prompt on VC 10. > > It has some problems in the total logic of it (there are some "features" > that I never bothered to fix), but in the physically restricted > environment that these machines are in, it allows people to get in who > need to..... Programmatically su'ing to the user and running 'lock -p -n' on the idle session will do admirably. If the idle session is running an X server, substitute xlock. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message