NIS+NFS: how to prevent users from logging directly into the server?
Hi,
I have setup a network with centralized authentication, as described in this HOWTO: http://docs.slackware.com/howtos:roaming_profiles Everything works fine, but I need to add one more restriction. Users are all able to log into their account from any desktop client, but how can I prevent them from logging directly into the server? In short...
Why would I want to do this? Well, this is a multi-purpose server that not only holds all account information on the NIS server and all users' /home directories (shared by NFS). It's also a Samba server with mixed clearance levels (public, confidential), and some of the data is - in theory - readable for users. The measure described above would simply prevent users from snooping around in /srv/samba/ on the server. |
Hello,
Have a look at: Code:
man sshd_config Kind regards, Eric |
Quote:
|
man 5 nologin
|
Quote:
There's your first and most important flaw in security in my opinion. Why on earth would you allow physical access to your server? There's no way you can prevent a medium clever guy to get access to your machine one way or another. Kind regards, Eric ---------- Post added 17-09-12 at 20:59 ---------- Quote:
Easy enough to bypass since users have physical access to the server. Kind regards, Eric |
Quote:
Though I must add in practical life, the security flaw is next to zero. My most "dangerous" users are 15-20-year-old students in a school, and they do in fact login to the server on my desk sometimes... only to be bored to death after two seconds because "there's only this black and white thingy there's not even a mouse". |
Quote:
|
Quote:
Let's hope they all will be bored very soon when they login and that you don't have a wannabee script kiddie in your class as already indicated by caduqued. Kind regards, Eric |
To prevent login by xdm. kdm, you can test on $DISPLAY and $USER in the Xsession file,
and then just exit if you do not like the combination of the two variables. Be sure you have the exact value of the DISPLAY variable, and then if $DISPLAY is ":0.0" put something like this quite early in the Xsession file: # Exit if user not allowed if [ "x$DISPLAY" = "x:0.0" -a "$USER" != "kiki" ]; then exit fi And also you have to prevent login on the virtual console. |
All times are GMT -5. The time now is 10:55 PM. |