Re: Limiting Users Allowed Dial-up Access

From: Ron Heiby (heiby_u@falkor.chi.il.us)
Date: 05/27/02


From: Ron Heiby <heiby_u@falkor.chi.il.us>
Date: Mon, 27 May 2002 07:21:17 GMT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Nico Kadel-Garcia" <nkadel@bellatlantic.net> wrote:
>Welcome to the wonders of chroot cages and special shells, such as smrsh.
>Use those both as keywords, and feel free to poke my notes at
>http://cag.lcs.mit.edu/~raoul/ for notes on one for SSH.

I think you have mis-interpreted what I am intending to ask. This seems to
be attempting to handle a problem exactly opposite what I seek to handle.

I have normal users. I want these normal users to be able to do anything
according to the standard security of the system that is allowed. I do not
want them to have to live inside a chroot cage, special shell, or anything
else. They should be able to use any shell they like. They should be able
to go anywhere in the filesystem that filesystem permissions allow.

The normal users should be able to log in using ssh. The normal users
should be able to log in on a console tty. The normal users should be able
to log in to a console X Window session.

The normal users should NOT be able to log in on the modem line.

How do I prevent the normal users, who have basically the run of the
machine, from being able to log in on the modem line?

(I ask this because I need to have a modem on the system for some
special-purpose user ids. These special purpose ids *do* live in a
restricted environment. I am not worried about them. I am confident that I
can sufficiently restrict their environment to render them harmless to
overall system security. However, I do not want to risk someone cracking
the password on one of my normal users and logging in over the phone using
that modem line I need for the special-purpose users. I am confident that
the system is protected enough from potential Internet threats. My normal
users can sign onto the machine over the Internet using SSH and PK
encryption. I just need to be sure that someone *posing* as one of my
normal users cannot log in over the modem.)

Thanks! Ron.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: The last PGP with full source disclosure.

iQA/AwUBPPHeWG8pw+2/9pUJEQKqoQCgxmXQ/+XqvxAJc/aj6vcUn37zjhQAn1Hk
kijS7QdqI6yaMW82fpgWSLNL
=/qRN
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Limiting Users Allowed Dial-up Access
    ... >Welcome to the wonders of chroot cages and special shells, ... I want these normal users to be able to do anything ... The normal users should NOT be able to log in on the modem line. ... that modem line I need for the special-purpose users. ...
    (comp.os.linux.security)
  • Re: Limiting Users Allowed Dial-up Access
    ... >> using that modem line I need for the special-purpose users. ... My normal users can sign onto the machine over the Internet ... that purports to restrict access based on username & tty pairs. ...
    (comp.os.linux.security)
  • Re: Limiting Users Allowed Dial-up Access
    ... >> using that modem line I need for the special-purpose users. ... My normal users can sign onto the machine over the Internet ... that purports to restrict access based on username & tty pairs. ...
    (comp.os.linux.security)
  • Re: Limiting Users Allowed Dial-up Access
    ... group and set the modem permissions to not allow read-write by others. ... > the password on one of my normal users and logging in over the phone using ... > the system is protected enough from potential Internet threats. ... distinct from normal user passwords? ...
    (comp.os.linux.security)
  • Re: Limiting Users Allowed Dial-up Access
    ... group and set the modem permissions to not allow read-write by others. ... > the password on one of my normal users and logging in over the phone using ... > the system is protected enough from potential Internet threats. ... distinct from normal user passwords? ...
    (comp.os.linux.security)