SUMMARY: (2) How to limit a user to login only from console?

From: Francisco Javier Arias Correa (NIC) (farias@nic.mx)
Date: Fri Jul 24 1998 - 10:28:04 CDT


        It seems that I was not enough clear in my first post of the
summary, now I tried to make it clearer writting some comments on each
solution. And also there are more solutions.

Thanks to:

        Wim Olivier <wim@na.co.za>
        "Todd A. Fiedler" <tfiedler@yahoo.com>
        "Marco Greene" <cmgreene@netcom.ca>
        Dave McFerren <davem@china.solve.net>
        Dennis Martens <MARTENSD@health.qld.gov.au>
        Bruce Bowler <bbowler@bigelow.org>
        "Kai O'Yang" <Kai.Oyang@fcit.monash.edu.au>
        Kevin.Sheehan@uniq.com.au (Kevin Sheehan)
        hmlaw@cse.cuhk.edu.hk (Law Hon Man)

Original question:

        I need to be able to limit one user (the user is not root) to
login only from console, not from telnet, using rexec or some other
like that. Is there any way of doing this?

---------------------------------------------------------------------

1) From: Wim Olivier <wim@na.co.za>

        Put a script testing for /dev/console in his .profile. If yes,
        then do nothing, if ptty then exit. (this is about 2 lines
        long).

        Comment: The .profile of the user must be owned by some other
                 user (root), and the user must have only read access
                 permissions to the file.

                 if [ `tty` != '/dev/console' ]
                 then
                        echo "Access denied"
                        exit 1
                 fi

2) From: Kevin.Sheehan@uniq.com.au (Kevin Sheehan)

        this will only work if the user does not modify it. You can
        also do it in /etc/profile:

          if [ "$LOGNAME" = luser -a `tty` = /dev/console ] ; then
                    echo Access Denied
          fi

        to make it unchangable by the user.

        Comment: It seems like 1 but you could deny access to more users
                 from this same file (/etc/profile). BTW, it should be:

                if [ "$LOGNAME" = luser -a `tty` != /dev/console ] ; then
                        echo "Access Denied"
                        exit 1
                fi

3) From: "Kai O'Yang" <Kai.Oyang@fcit.monash.edu.au>

        Have you considered idled? You can configure it to kick out
        anyone that is not from console, even with time of day control,
        pretty flexible.

        You can search for idled in most search engines. The author
        surname is Crider, I think.

        Commnet: I just downloaded it but I haven't tried. You can look
                 at:

                http://www.darkwing.com/idled/README.html
                

4) From: "Todd A. Fiedler" <tfiedler@yahoo.com>

        The only way I can think of doing this is to write a script that
        acts as a wrapper to a shell. You could then have the script
        check to see what device the user is logging in one, and if it is
        not /dev/console, you could have it issue a warning message and
        disconnect. Even better, you could write a small C program to do
        this, it would be faster and probably more secure.

        You would then need to place the script (or program) into the
        passwd file as the user's shell (item 7 in the list).

        Solaris seems to only support root console restriction.

        Comment: Write a program could be the better solution for your
                 own needs, if you have the time.

5) From: hmlaw@cse.cuhk.edu.hk (Law Hon Man)

        Hi, I thing you should take a look on PAM on Solaris 2.6. I
        found a PAM module for Linux called list-file (pam_listfile)
        which provides a way to deny or allow services bared on an
        arbitrary file (just like /etc/ftpusers for ftp). Pls refer
        to The System Admin Guide in Linux-PAM.

        Comment: I haven't tried it.

6) From: "Marco Greene" <cmgreene@netcom.ca>
        
        You can always disable telnet ftp rlogin.....in /etc/rpc and
        /etc/services

        Comment: Very restrictive.
                
 
7) From: Dave McFerren <davem@china.solve.net>

        Try putting tcp wrappers on the daemons and make sure that his
        login name is not allowed.

        Comment: It looks for the username of the one who is trying to
                 connect but not take care of the user account that it
                 is trying to login.
        
        
8) From: Dennis Martens <MARTENSD@health.qld.gov.au>
        
        In the file /etc/default/login, put the entry:
                
                CONSOLE=/dev/console

        Comment: This will not work only for root.

--------------------------------------------------

        
        Francisco Javier Arias Correa
        NIC-Mexico, ITESM campus Monterrey
        http://www.nic.mx
        E-mail: farias@nic.mx
        Tel. +52 8 328 43 73, fax +52 8 328 42 08



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:44 CDT