Re: Limiting Users Allowed Dial-up Access

From: A. Marshall (
Date: 05/28/02

From: "A. Marshall" <>
Date: Mon, 27 May 2002 23:26:06 +0100

Nico Kadel-Garcia wrote:

> "Ron Heiby" <> wrote in message
>> Hash: SHA1
>> (I ask this because I need to have a modem on the system for some
>> special-purpose user ids. These special purpose ids *do* live in a
>> restricted environment. I am not worried about them. I am confident that
>> I can sufficiently restrict their environment to render them harmless to
>> overall system security. However, I do not want to risk someone cracking
>> the password on one of my normal users and logging in over the phone
>> using that modem line I need for the special-purpose users. I am
>> confident that the system is protected enough from potential Internet
>> threats. My normal users can sign onto the machine over the Internet
>> using SSH and PK encryption. I just need to be sure that someone *posing*
>> as one of my normal users cannot log in over the modem.)
> Gotcha. Hmm. Can you set up a "Radius" server, which has a challange
> system distinct from normal user passwords? Or configure the modem system
> to be a dial-back system to call back the users at a pre-specified number
> instead of allowing random logins? And are you trying to defend against
> casual users being careless, or real weasels who think they know better
> than you?

Not an expert in this, but - on my RH7.3 box in /etc/security there is a
file called access.conf
that purports to restrict access based on username & tty pairs. i.e. it
specifies which ttys users
are permitted to use to log in. Now, a dial-in shell will be on a known tty
(one of the serial ports right?),
sooooooooooooo - it should be possible to use access.conf to specify that
ONLY the restricted users can
use these terminals, and then to also specify that 'normal' users must use
any of the 'normal' ttys generated by
ssh etc.

| n | n-gate ltd.