From owner-freebsd-questions@FreeBSD.ORG  Wed Nov  8 05:24:37 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A3B9316A4CE
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Nov 2006 05:24:37 +0000 (UTC)
	(envelope-from elessar@bsdforen.de)
Received: from mail.bsdforen.de (bsdforen.de [212.204.60.79])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0766B43D4C
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Nov 2006 05:24:36 +0000 (GMT)
	(envelope-from elessar@bsdforen.de)
Received: from localhost (mail [127.0.0.12])
	by mail.bsdforen.de (Postfix) with ESMTP id 949BF4241CA;
	Wed,  8 Nov 2006 06:24:35 +0100 (CET)
X-Virus-Scanned: amavisd-new at bsdforen.de
Received: from mail.bsdforen.de ([127.0.0.12])
	by localhost (mail.bsdforen.de [127.0.0.12]) (amavisd-new, port 10024)
	with ESMTP id Ge04s26PrTq7; Wed,  8 Nov 2006 06:24:34 +0100 (CET)
Received: from loki.starkstrom.lan (p549CE111.dip.t-dialin.net [84.156.225.17])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.bsdforen.de (Postfix) with ESMTP id C4D104241C5;
	Wed,  8 Nov 2006 06:24:32 +0100 (CET)
Date: Wed, 8 Nov 2006 06:24:26 +0100
From: Joerg Pernfuss <elessar@bsdforen.de>
To: <freebsd-questions@freebsd.org>
Message-ID: <20061108062426.4e0d0532@loki.starkstrom.lan>
In-Reply-To: <000301c702ae$da839510$0200a8c0@satellite>
References: <000301c702ae$da839510$0200a8c0@satellite>
X-Mailer: Sylpheed-Claws 2.5.2 (GTK+ 2.8.20; i386-portbld-freebsd6.1)
Mime-Version: 1.0
Content-Type: multipart/signed; boundary=Sig_36NgGw4VfykRYZ3t8mwdpRs;
	protocol="application/pgp-signature"; micalg=PGP-SHA1
Cc: Dave <dmehler26@woh.rr.com>
Subject: Re: denying a user access from the internet
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2006 05:24:37 -0000

--Sig_36NgGw4VfykRYZ3t8mwdpRs
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On Tue, 7 Nov 2006 15:54:00 -0500
"Dave" <dmehler26@woh.rr.com> wrote:

> Hello,
>     I've got a FreeBSD box that i have a user on who needs special
> console access. I've given him access to what is required, but i do
> not want him to be able to log in from the internet via ssh, telnet,
> or even a serial terminal if possible. Basically if this user isn't
> right in front of the box i don't want him accessing it. Is it
> possible to lock a user out to this extent, i know with ssh i can do
> an AllowGroup option and not put him in the group that would work?
> Thanks.

You should be able to achieve this via the ttys.allow paramter that is
provided by login.conf(5).
Either

	local:\
		:ttys.allow=3Dttyv0,ttyv1,ttyv2,ttyv3,ttyv4:\
		:tc=3Ddefault:

or
	local:\
		:ttys.allow=3Dlocal:\
		:tc=3Ddefault:

with /etc/ttys modified to sth like this:

ttyv0   "/usr/libexec/getty Pc"         cons25  on  group=3Dlocal secure
# Virtual terminals
ttyv1   "/usr/libexec/getty Pc"         cons25  on  group=3Dlocal secure
ttyv2   "/usr/libexec/getty Pc"         cons25  on  group=3Dlocal secure
ttyv3   "/usr/libexec/getty Pc"         cons25  on  group=3Dlocal secure
ttyv4   "/usr/libexec/getty Pc"         cons25  on  group=3Dlocal secure
ttyv5   "/usr/libexec/getty Pc"         cons25  on  secure
ttyv6   "/usr/libexec/getty Pc"         cons25  on  secure
ttyv7   "/usr/libexec/getty Pc"         cons25  on  secure

Then switch his login class to local and the policy should be enforced
system wide. The AllowGroups and AllowUsers switches in sshd_config(5)
work fine, but only sshd wide.

	:times.allow=3DMoTuWeThFr0800-1600:\

might also come handy, allowing access only during the week from 8am to
4pm :)

	Joerg
--=20
| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |    0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  X    HTML in email  |        .the next sentence is true.       |
| / \     and news     |     .the previous sentence was a lie.    |

--Sig_36NgGw4VfykRYZ3t8mwdpRs
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFFUWoKH31s/bvKrSQRAnziAJ9fb6oerh0uwENbCECkRu9cFYiUUgCfbTvm
iqFzIIPORiP2crkEJWvdFrg=
=9+Qi
-----END PGP SIGNATURE-----

--Sig_36NgGw4VfykRYZ3t8mwdpRs--