Defcon1-Header
Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

Methods for refusing remote login to user accounts

If there are any questions or comments, please direct them to walt@erudition.net. The newest copy of this HowTo can always be retrievedfrom www.freebsd-howto.com. All rights for the reproduction of this document are reserved.


Summary

 This mini HowTo will discuss several methods for refusing remote login to user accounts.

    1.   Introduction
    2.   Two General Uses
     2.1.  Denying Both Remote and Local Logins
     2.2.  Denying Only Remote Logins
     2.2.1. Method One: login.access
     2.2.2. Method Two: Login Classes

    3. Appendix

 1. Introduction

 Refusing remote logins can have a number of uses. If, for instance, a user's account has expired and one wants to deny login access until the account has been renewed, deny remote logins will be necessary. If one wants to have protected accounts which no one should be able to remotely access, this too will be a necessary issue; or, if one wants to create a new daemon entry, denying remote logins will be imperative.

 2. Two General Uses

 There are two general approaches for denying remote logins. One is to only deny remote logins, but to allow local logins via login(1) or su(1), such as in the instance of special protected users. The other is to deny both remote and local logins, such as in the instance of daemon entries in /etc/passwd.

 2.1. Denying Both Remote and Local Logins

 This is relatively simple to accomplish. If one, for instance, adds a new daemon entry in /etc/passwd and wishes one not be able to log into it via any means, two things must be done. The account entry can be added via vipw(8) or passwd(1).

 If adding with passwd(1), specify that the account will have no password, and use /sbin/nologin as the login shell for the account. nologin(8) is a convenient utility for politely refusing logins.

 If adding with vipw(8), specify '*' in the password field for the account, and /sbin/nologin in the last field, which is for the login shell the account will use. '*' in the password field will notify the system that the account has no password and is not a regular login account.

 All login failures to accounts with nologin(8) are logged in

/var/log/messages.

 2.2. Denying Only Remote Logins

 2.2.1. Method One: login.access

 Denying only remote logins can be accomplished in more than one fashion. The most convenient is to use the login.access(5) facility in FreeBSD. It is a simple, but robust, method for controlling login access to user accounts. To refuse remote login access to any account, use the following syntax for adding lines into /etc/login.access:

 -:<user>:ALL EXCEPT console

 Replace <user> with the user which should be denied remote login access. With this login, when any login attempt to that account is made from anywhere but the console, it will be denied with a "Permission denied." message and a message with the following syntax will be logged to
/var/log/message:

 <host> login: LOGIN <user> REFUSED (ACCESS) FROM <remote host> ON

TTY <ttyp> 

 For information on more complex login.access(5) usage, please check out Login.Access-HOWTO at www.freebsd-howto.com.

 2.2.2. Method Two: Login Classes


 A very powerful user access method is to use login classes. The advantage of login classes is that it offers far more control over user resources and authentication methods. A Special login class can be created that will be used especially for accounts that can not have any remote logins. Then, among other entries, the following can be added:

 :host.allow=blip.mydomain.com:\

 In the above example, only logins from blip.mydomain.com would be allowed for users in that login class. Make sure that the host specifed is the local host of the machine the users are on, and login attempts from anywhere except there will be denied.


 To learn more about creating and managing login classes, read the Login-Class-HOWTO at freebsd-howto.org.

 

 3. Appendix

 

 Login.Access-HOWTO @ www.freebsd-howto.com

 Login-Class-HOWTO @ www.freebsd-howto.com

 Laker

© 1997 - 20013 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.

Defcon1-Header2
Tool-Bar-2Defcon1  Webmail