Date: Wed, 8 Nov 2006 06:24:26 +0100 From: Joerg Pernfuss <elessar@bsdforen.de> To: <freebsd-questions@freebsd.org> Cc: Dave <dmehler26@woh.rr.com> Subject: Re: denying a user access from the internet Message-ID: <20061108062426.4e0d0532@loki.starkstrom.lan> In-Reply-To: <000301c702ae$da839510$0200a8c0@satellite> References: <000301c702ae$da839510$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_36NgGw4VfykRYZ3t8mwdpRs Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 7 Nov 2006 15:54:00 -0500 "Dave" <dmehler26@woh.rr.com> wrote: > Hello, > I've got a FreeBSD box that i have a user on who needs special > console access. I've given him access to what is required, but i do > not want him to be able to log in from the internet via ssh, telnet, > or even a serial terminal if possible. Basically if this user isn't > right in front of the box i don't want him accessing it. Is it > possible to lock a user out to this extent, i know with ssh i can do > an AllowGroup option and not put him in the group that would work? > Thanks. You should be able to achieve this via the ttys.allow paramter that is provided by login.conf(5). Either local:\ :ttys.allow=3Dttyv0,ttyv1,ttyv2,ttyv3,ttyv4:\ :tc=3Ddefault: or local:\ :ttys.allow=3Dlocal:\ :tc=3Ddefault: with /etc/ttys modified to sth like this: ttyv0 "/usr/libexec/getty Pc" cons25 on group=3Dlocal secure # Virtual terminals ttyv1 "/usr/libexec/getty Pc" cons25 on group=3Dlocal secure ttyv2 "/usr/libexec/getty Pc" cons25 on group=3Dlocal secure ttyv3 "/usr/libexec/getty Pc" cons25 on group=3Dlocal secure ttyv4 "/usr/libexec/getty Pc" cons25 on group=3Dlocal secure ttyv5 "/usr/libexec/getty Pc" cons25 on secure ttyv6 "/usr/libexec/getty Pc" cons25 on secure ttyv7 "/usr/libexec/getty Pc" cons25 on secure Then switch his login class to local and the policy should be enforced system wide. The AllowGroups and AllowUsers switches in sshd_config(5) work fine, but only sshd wide. :times.allow=3DMoTuWeThFr0800-1600:\ might also come handy, allowing access only during the week from 8am to 4pm :) Joerg --=20 | /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a | | \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 | | X HTML in email | .the next sentence is true. | | / \ and news | .the previous sentence was a lie. | --Sig_36NgGw4VfykRYZ3t8mwdpRs Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFUWoKH31s/bvKrSQRAnziAJ9fb6oerh0uwENbCECkRu9cFYiUUgCfbTvm iqFzIIPORiP2crkEJWvdFrg= =9+Qi -----END PGP SIGNATURE----- --Sig_36NgGw4VfykRYZ3t8mwdpRs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061108062426.4e0d0532>