Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!rill.news.pipex.net!pipex!tank.news.pipex.net!pipex!news.utell.co.uk!usenet
From: brian@shift.utell.net (Brian Somers)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Howto restrict login at the console?
Date: 1 May 1997 16:37:55 GMT
Organization: Awfulhak Ltd.
Lines: 67
Message-ID: <5kagt3$a45@ui-gate.utell.co.uk>
References: <3364F170.4DF6BC09@indigo.ie> <5k761s$p26@ui-gate.utell.co.uk>
<5k8p68$iad@lace.colorado.edu>
Reply-To: brian@awfulhak.org, brian@utell.co.uk
NNTP-Posting-Host: shift.utell.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Newsreader: knews 0.9.8
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:40135
In article <5k8p68$iad@lace.colorado.edu>,
fcrary@rintintin.Colorado.EDU (Frank Crary) writes:
> In article <5k761s$p26@ui-gate.utell.co.uk>,
> Brian Somers <brian@awfulhak.org, brian@utell.co.uk> wrote:
>>> I was just wondering if there was any way of restricting login at the
>>> console. What I'm after is the inverse(so to speak) of putting insecure
>>> on a line in /etc/ttys. That is, I only want root to login at the
>>> console. The machine isn't physically secure at the moment and I don't
>>> want people starting X sessions etc. I can login as root and lock the
>>> screen but I wouldn't trust people not to power cycle the machine when I
>>> wasn't around.
>
>>Something like
>
>>case .`tty 2>/dev/null` in
>> /dev/ttyv?) echo "Go away, you're not god !" >&2; exit 1;;
>>esac
>
>>in /etc/profile should suffice (assuming everyone at your site
>>uses [ba]sh).
>
> I'm not sure when or if /etc/profile is sourced, but I just tried it
> out and it is not called when I open an xterm with a tcsh shell. That
> could be a matter of the shell, or of opening an xterm rather than
> an initial login, but I think it's the shell. Since changing shells
> is something any user can do, this doesn't strike me as much of a
> protection. (Unless [ba]sh were the only shells available.)
All of this is true (/etc/csh.cshrc can be changed in a similar way to
/etc/profile for C shells, but I don't know much about csh so I didn't
provide an example). I was under the impression that the original
poster was looking for a mechanism to stop (or disuade) people from
using the console for normal logins. On retrospect, that was a
bit of an assumption as I have no idea what his environment is
like.
> However, as someone else has pointed out, this is a pointless
> exercise. PCs inherently have a massive physical security problem.
> Anyone with physical access to the machine can do whatever he
> wants. During a reboot, with a standard FreeBSD, you can bypass
> these protections by selecting single user mode. Even if you
> changed this, all someone has to do is put in a floppy disk of his
> choice and the machine would boot from that, rather than the hard
> drive.
The problem is not just with PCs. With physical access to any machine,
you can use a crow-bar to open the box, remove the disk and take it home
with you.
> (A feature which I find convenient, since I don't need to
> have a password on a machine running Windows NT to get rid of Windows
> and replace it with FreeBSD... And, no, I don't go around sneaking
> into people's offices and changing their operating system. I just
> occasionally install FreeBSD on previously used machines, and it's
> not convenient to run around, find the former sysadmin and get him to
> give me a password on NT.)
It's a nice idea though ! I'd like to find all the NT boxes around
here and.....
> Frank Crary
> CU Boulder
--
Brian <brian@awfulhak.org> <brian@freebsd.org>
<http://www.awfulhak.org>
Don't _EVER_ lose your sense of humour !