Re: Limiting Users Allowed Dial-up Access

Date: 05/27/02

Date: Mon, 27 May 2002 12:30:55 GMT

"Ron Heiby" <> wrote in message
> Hash: SHA1

> How do I prevent the normal users, who have basically the run of the
> machine, from being able to log in on the modem line?

*AAAHHH*. I see. To prevent outgoing calls, do not put them in the "uucp"
group and set the modem permissions to not allow read-write by others. To
prevent incoming, similarly, do not setup dial-up accounts for them or allow
them to execute the "pppd" program.

Setting up dial-up accounts securely is a different issue.

> (I ask this because I need to have a modem on the system for some
> special-purpose user ids. These special purpose ids *do* live in a
> restricted environment. I am not worried about them. I am confident that I
> can sufficiently restrict their environment to render them harmless to
> overall system security. However, I do not want to risk someone cracking
> the password on one of my normal users and logging in over the phone using
> that modem line I need for the special-purpose users. I am confident that
> the system is protected enough from potential Internet threats. My normal
> users can sign onto the machine over the Internet using SSH and PK
> encryption. I just need to be sure that someone *posing* as one of my
> normal users cannot log in over the modem.)

Gotcha. Hmm. Can you set up a "Radius" server, which has a challange system
distinct from normal user passwords? Or configure the modem system to be a
dial-back system to call back the users at a pre-specified number instead of
allowing random logins? And are you trying to defend against casual users
being careless, or real weasels who think they know better than you?