It seems that I was not enough clear in my first post of the
summary, now I tried to make it clearer writting some comments on each
solution. And also there are more solutions.
Thanks to:
Wim Olivier <wim@na.co.za>
"Todd A. Fiedler" <tfiedler@yahoo.com>
"Marco Greene" <cmgreene@netcom.ca>
Dave McFerren <davem@china.solve.net>
Dennis Martens <MARTENSD@health.qld.gov.au>
Bruce Bowler <bbowler@bigelow.org>
"Kai O'Yang" <Kai.Oyang@fcit.monash.edu.au>
Kevin.Sheehan@uniq.com.au (Kevin Sheehan)
hmlaw@cse.cuhk.edu.hk (Law Hon Man)
Original question:
I need to be able to limit one user (the user is not root) to
login only from console, not from telnet, using rexec or some other
like that. Is there any way of doing this?
---------------------------------------------------------------------
1) From: Wim Olivier <wim@na.co.za>
Put a script testing for /dev/console in his .profile. If yes,
then do nothing, if ptty then exit. (this is about 2 lines
long).
Comment: The .profile of the user must be owned by some other
user (root), and the user must have only read access
permissions to the file.
if [ `tty` != '/dev/console' ]
then
echo "Access denied"
exit 1
fi
2) From: Kevin.Sheehan@uniq.com.au (Kevin Sheehan)
this will only work if the user does not modify it. You can
also do it in /etc/profile:
if [ "$LOGNAME" = luser -a `tty` = /dev/console ] ; then
echo Access Denied
fi
to make it unchangable by the user.
Comment: It seems like 1 but you could deny access to more users
from this same file (/etc/profile). BTW, it should be:
if [ "$LOGNAME" = luser -a `tty` != /dev/console ] ; then
echo "Access Denied"
exit 1
fi
3) From: "Kai O'Yang" <Kai.Oyang@fcit.monash.edu.au>
Have you considered idled? You can configure it to kick out
anyone that is not from console, even with time of day control,
pretty flexible.
You can search for idled in most search engines. The author
surname is Crider, I think.
Commnet: I just downloaded it but I haven't tried. You can look
at:
http://www.darkwing.com/idled/README.html
4) From: "Todd A. Fiedler" <tfiedler@yahoo.com>
The only way I can think of doing this is to write a script that
acts as a wrapper to a shell. You could then have the script
check to see what device the user is logging in one, and if it is
not /dev/console, you could have it issue a warning message and
disconnect. Even better, you could write a small C program to do
this, it would be faster and probably more secure.
You would then need to place the script (or program) into the
passwd file as the user's shell (item 7 in the list).
Solaris seems to only support root console restriction.
Comment: Write a program could be the better solution for your
own needs, if you have the time.
5) From: hmlaw@cse.cuhk.edu.hk (Law Hon Man)
Hi, I thing you should take a look on PAM on Solaris 2.6. I
found a PAM module for Linux called list-file (pam_listfile)
which provides a way to deny or allow services bared on an
arbitrary file (just like /etc/ftpusers for ftp). Pls refer
to The System Admin Guide in Linux-PAM.
Comment: I haven't tried it.
6) From: "Marco Greene" <cmgreene@netcom.ca>
You can always disable telnet ftp rlogin.....in /etc/rpc and
/etc/services
Comment: Very restrictive.
7) From: Dave McFerren <davem@china.solve.net>
Try putting tcp wrappers on the daemons and make sure that his
login name is not allowed.
Comment: It looks for the username of the one who is trying to
connect but not take care of the user account that it
is trying to login.
8) From: Dennis Martens <MARTENSD@health.qld.gov.au>
In the file /etc/default/login, put the entry:
CONSOLE=/dev/console
Comment: This will not work only for root.
--------------------------------------------------
Francisco Javier Arias Correa
NIC-Mexico, ITESM campus Monterrey
http://www.nic.mx
E-mail: farias@nic.mx
Tel. +52 8 328 43 73, fax +52 8 328 42 08
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:44 CDT