Re: Limiting Users Allowed Dial-up Access

From: Nico Kadel-Garcia (nkadel@bellatlantic.net)
Date: 05/27/02


From: "Nico Kadel-Garcia" <nkadel@bellatlantic.net>
Date: Mon, 27 May 2002 12:30:55 GMT


"Ron Heiby" <heiby_u@falkor.chi.il.us> wrote in message
news:d2n3fu41gquo0mqu06u78ll3jmi03ng23r@4ax.com...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> How do I prevent the normal users, who have basically the run of the
> machine, from being able to log in on the modem line?

*AAAHHH*. I see. To prevent outgoing calls, do not put them in the "uucp"
group and set the modem permissions to not allow read-write by others. To
prevent incoming, similarly, do not setup dial-up accounts for them or allow
them to execute the "pppd" program.

Setting up dial-up accounts securely is a different issue.

> (I ask this because I need to have a modem on the system for some
> special-purpose user ids. These special purpose ids *do* live in a
> restricted environment. I am not worried about them. I am confident that I
> can sufficiently restrict their environment to render them harmless to
> overall system security. However, I do not want to risk someone cracking
> the password on one of my normal users and logging in over the phone using
> that modem line I need for the special-purpose users. I am confident that
> the system is protected enough from potential Internet threats. My normal
> users can sign onto the machine over the Internet using SSH and PK
> encryption. I just need to be sure that someone *posing* as one of my
> normal users cannot log in over the modem.)

Gotcha. Hmm. Can you set up a "Radius" server, which has a challange system
distinct from normal user passwords? Or configure the modem system to be a
dial-back system to call back the users at a pre-specified number instead of
allowing random logins? And are you trying to defend against casual users
being careless, or real weasels who think they know better than you?



Relevant Pages

  • Re: Limiting Users Allowed Dial-up Access
    ... >> using that modem line I need for the special-purpose users. ... My normal users can sign onto the machine over the Internet ... that purports to restrict access based on username & tty pairs. ...
    (comp.os.linux.security)
  • Re: Limiting Users Allowed Dial-up Access
    ... >> using that modem line I need for the special-purpose users. ... My normal users can sign onto the machine over the Internet ... that purports to restrict access based on username & tty pairs. ...
    (comp.os.linux.security)
  • Re: Limiting Users Allowed Dial-up Access
    ... >Welcome to the wonders of chroot cages and special shells, ... I want these normal users to be able to do anything ... The normal users should NOT be able to log in on the modem line. ... that modem line I need for the special-purpose users. ...
    (comp.os.linux.security)
  • Re: Limiting Users Allowed Dial-up Access
    ... >Welcome to the wonders of chroot cages and special shells, ... I want these normal users to be able to do anything ... The normal users should NOT be able to log in on the modem line. ... that modem line I need for the special-purpose users. ...
    (comp.os.linux.security)
  • Re: Limiting Users Allowed Dial-up Access
    ... group and set the modem permissions to not allow read-write by others. ... > the password on one of my normal users and logging in over the phone using ... > the system is protected enough from potential Internet threats. ... distinct from normal user passwords? ...
    (comp.os.linux.security)