Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote:
> 1. How to dissallow network connections to this guest account? I don't
> want anyone ssh'ing in, but I still want to be able to remotely administer
> the machines.
man sshd --
DenyUsers
This keyword can be followed by a number of user names, separated
by spaces. Login is disallowed for user names that match one of
the patterns. `*' and `?' can be used as wildcards in
the patterns. Only user names are valid, a numerical user id
isn't recognized. By default login is allowed regardless
of the username.
there are similar DenyGroups, AllowUsers, and AllowGroups directives,
too. This is *the* simplest solution. If you're PAM-savvy, there are
options there, too (easiest is to use pam_listfile to allow/deny
access to people listed in a particular file). However, it's really
easy to shoot yourself in the foot with PAM. Plus, you'd certainly
want to disable any other network access methods you can (ftp and
friends).
If all the people need to do is browse the web and ssh out, you can
also make a firewall rule that allows traffic to and from any remote
hosts port 22, 80, or 443.
--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
Reply to: