Date: Fri, 28 May 1999 16:18:07 -0700 From: "Jan B. Koum " <jkb@best.com> To: Nicholas Brawn <ncb@zip.com.au>, Sheldon Hearn <sheldonh@uunet.co.za> Cc: freebsd-security@FreeBSD.ORG Subject: Re: legal notice for telnet/etc Message-ID: <19990528161807.A1393@best.com> In-Reply-To: <Pine.LNX.4.05.9905282206050.32747-100000@zipper.zip.com.au>; from Nicholas Brawn on Fri, May 28, 1999 at 10:13:09PM %2B1000 References: <671.927888503@axl.noc.iafrica.com> <Pine.LNX.4.05.9905282206050.32747-100000@zipper.zip.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 28, 1999 at 10:13:09PM +1000, Nicholas Brawn <ncb@zip.com.au> wrote: > For the systems I'm looking at, the main entry points into the system will > be: > - Telnet > - FTP > - SSH > - SFTP/SCP > > Telnet and Ftp banners look relatively simple to implement. But it looks a > bit tricky with ssh without displaying until the user has logged in. > Alternatively you could get them to sign a legal document prior to > granting them access to IT resources which discusses what authority they > have over what, which is already a recommendation. If it cannot be > displayed until a user logs in (/etc/motd), nobody's going to die. And if > you say they may be able to quell such notices via .hushlogin, we can add > something to /etc/profile to display notices, or even specify a program as > their shell which does nothing more than displaying the notice before > dropping them into a shell. > > At this stage I'm keen to find out what simply solutions there are > available. If I need to tinker, so be it. :) > > Thanks to everyone for the input, > Nick If you need to tinker, then for ssh you can do something similar to the following: user goes to https://ssh.yourcompany.com The page asks username:password and present user with an agreement of usage. If he will agree by clicking on "I Agree", you give him a new ssh RSA key (ssh-keygen) and while he takes a second to download it, you place the key in his $HOME/.ssh They weak part in the picture is username:passwd -- replace is with something like Cryptocard (www.cryptocard.com -- which happen to support FreeBSD btw) and you all set. They actually have apache module to auth against their radiusd server ... Tinker away Nick. ;) -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990528161807.A1393>