Re: Locking down a guest account - Got Help. THANKS!
Thank all!
You help and suggestions have helped me over the current stumbling
blocks and its (hopefully) all down hill from here. I finally ditched
enlightenment and went with sawmill. A couple menus deep was keybinding
and by just disabeling the entry for root_menu, I was able to seal up the
desktop interface without crippling the rest of the users. Now all thats
left is disabaling all the tty sessions and going over permissions with a
fine tooth comb.
Thanks again!
david.
On Mon, 6 Aug 2001, Mike Renfro wrote:
> On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote:
>
> > 1. How to dissallow network connections to this guest account? I don't
> > want anyone ssh'ing in, but I still want to be able to remotely administer
> > the machines.
>
> man sshd --
>
> DenyUsers
> This keyword can be followed by a number of user names, separated
> by spaces. Login is disallowed for user names that match one of
> the patterns. `*' and `?' can be used as wildcards in
> the patterns. Only user names are valid, a numerical user id
> isn't recognized. By default login is allowed regardless
> of the username.
>
> there are similar DenyGroups, AllowUsers, and AllowGroups directives,
> too. This is *the* simplest solution. If you're PAM-savvy, there are
> options there, too (easiest is to use pam_listfile to allow/deny
> access to people listed in a particular file). However, it's really
> easy to shoot yourself in the foot with PAM. Plus, you'd certainly
> want to disable any other network access methods you can (ftp and
> friends).
>
> If all the people need to do is browse the web and ssh out, you can
> also make a firewall rule that allows traffic to and from any remote
> hosts port 22, 80, or 443.
>
>
Reply to: