NIS+NFS: how to prevent users from logging directly into the server?
 

Hi,

I have setup a network with centralized authentication, as described in this HOWTO:

http://docs.slackware.com/howtos:roaming_profiles

Everything works fine, but I need to add one more restriction. Users are all able to log into their account from any desktop client, but how can I prevent them from logging directly into the server? In short...

1. Any user can log into his or her account on any desktop client
2. No users should be allowed to log in directly into the server.
3. Similarly, users shouldn't be able to ssh into the server with their own account

Why would I want to do this? Well, this is a multi-purpose server that not only holds all account information on the NIS server and all users' /home directories (shared by NFS). It's also a Samba server with mixed clearance levels (public, confidential), and some of the data is - in theory - readable for users. The measure described above would simply prevent users from snooping around in /srv/samba/ on the server.

Hello,

Have a look at:
more in particular, AllowUsers and DenyUsers. By using those keywords you can restrict access to your server to (a) specific user(s) through SSH while maintaining your user setup. The only thing you'll need to do besides that is lock the door to the server room so that they don't have physical access to the console.

Kind regards,

Eric

Unfortunately the server is physically accessible to users, and there is no way to prevent that. That's why I wonder if there's a way to configure it so that only me (kikinovak) and root can log into the server directly.

man 5 nologin

Hi,

There's your first and most important flaw in security in my opinion. Why on earth would you allow physical access to your server? There's no way you can prevent a medium clever guy to get access to your machine one way or another.

Kind regards,

Eric

---------- Post added 17-09-12 at 20:59 ----------

Hi,

Easy enough to bypass since users have physical access to the server.

Kind regards,

Eric

It's not only this single install. More often that not, I get called in small companies or local administrations to replace the Windows-only network by either a Linux network or a mixed network. Most of the time, I don't get to choose the physical location of server and clients. They're already there. So I have to deal with it.

Though I must add in practical life, the security flaw is next to zero. My most "dangerous" users are 15-20-year-old students in a school, and they do in fact login to the server on my desk sometimes... only to be bored to death after two seconds because "there's only this black and white thingy there's not even a mouse".

Well, although this kind of "psychological" firewall could be valid for the majority of 15~20-years-old students so used to MS Windows or OSX, that is not going to prevent one or two "wannabe-hacker" juveniles trying to challenge the system, IMHO.

Hello,

Let's hope they all will be bored very soon when they login and that you don't have a wannabee script kiddie in your class as already indicated by caduqued.

Kind regards,

Eric

To prevent login by xdm. kdm, you can test on $DISPLAY and $USER in the Xsession file,
and then just exit if you do not like the combination of the two variables.

Be sure you have the exact value of the DISPLAY variable,
and then if $DISPLAY is ":0.0" put something like this quite early in the Xsession file:

# Exit if user not allowed
if [ "x$DISPLAY" = "x:0.0" -a "$USER" != "kiki" ]; then
exit
fi

And also you have to prevent login on the virtual console.