LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 09-17-2012, 01:33 AM   #1
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: ElementaryOS, Ubuntu LTS, Slackware
Posts: 1,540

Rep: Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709
NIS+NFS: how to prevent users from logging directly into the server?


Hi,

I have setup a network with centralized authentication, as described in this HOWTO:

http://docs.slackware.com/howtos:roaming_profiles

Everything works fine, but I need to add one more restriction. Users are all able to log into their account from any desktop client, but how can I prevent them from logging directly into the server? In short...
  1. Any user can log into his or her account on any desktop client
  2. No users should be allowed to log in directly into the server.
  3. Similarly, users shouldn't be able to ssh into the server with their own account

Why would I want to do this? Well, this is a multi-purpose server that not only holds all account information on the NIS server and all users' /home directories (shared by NFS). It's also a Samba server with mixed clearance levels (public, confidential), and some of the data is - in theory - readable for users. The measure described above would simply prevent users from snooping around in /srv/samba/ on the server.
 
Old 09-17-2012, 01:41 AM   #2
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hello,

Have a look at:
Code:
man sshd_config
more in particular, AllowUsers and DenyUsers. By using those keywords you can restrict access to your server to (a) specific user(s) through SSH while maintaining your user setup. The only thing you'll need to do besides that is lock the door to the server room so that they don't have physical access to the console.

Kind regards,

Eric
 
Old 09-17-2012, 02:46 AM   #3
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: ElementaryOS, Ubuntu LTS, Slackware
Posts: 1,540

Original Poster
Rep: Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709
Quote:
Originally Posted by EricTRA View Post
Hello,

Have a look at:
Code:
man sshd_config
more in particular, AllowUsers and DenyUsers. By using those keywords you can restrict access to your server to (a) specific user(s) through SSH while maintaining your user setup. The only thing you'll need to do besides that is lock the door to the server room so that they don't have physical access to the console.

Kind regards,

Eric
Unfortunately the server is physically accessible to users, and there is no way to prevent that. That's why I wonder if there's a way to configure it so that only me (kikinovak) and root can log into the server directly.
 
Old 09-17-2012, 03:25 AM   #4
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 755

Rep: Reputation: 226Reputation: 226Reputation: 226
man 5 nologin
 
Old 09-17-2012, 01:58 PM   #5
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Quote:
Originally Posted by kikinovak View Post
Unfortunately the server is physically accessible to users, and there is no way to prevent that. That's why I wonder if there's a way to configure it so that only me (kikinovak) and root can log into the server directly.
Hi,

There's your first and most important flaw in security in my opinion. Why on earth would you allow physical access to your server? There's no way you can prevent a medium clever guy to get access to your machine one way or another.

Kind regards,

Eric

---------- Post added 17-09-12 at 20:59 ----------

Quote:
Originally Posted by wildwizard View Post
man 5 nologin
Hi,

Easy enough to bypass since users have physical access to the server.

Kind regards,

Eric
 
Old 09-17-2012, 11:40 PM   #6
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: ElementaryOS, Ubuntu LTS, Slackware
Posts: 1,540

Original Poster
Rep: Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709
Quote:
Originally Posted by EricTRA View Post
Hi,

There's your first and most important flaw in security in my opinion. Why on earth would you allow physical access to your server? There's no way you can prevent a medium clever guy to get access to your machine one way or another.

Kind regards,

Eric

---------- Post added 17-09-12 at 20:59 ----------


Hi,

Easy enough to bypass since users have physical access to the server.

Kind regards,

Eric
It's not only this single install. More often that not, I get called in small companies or local administrations to replace the Windows-only network by either a Linux network or a mixed network. Most of the time, I don't get to choose the physical location of server and clients. They're already there. So I have to deal with it.

Though I must add in practical life, the security flaw is next to zero. My most "dangerous" users are 15-20-year-old students in a school, and they do in fact login to the server on my desk sometimes... only to be bored to death after two seconds because "there's only this black and white thingy there's not even a mouse".
 
Old 09-18-2012, 03:12 AM   #7
caduqued
Member
 
Registered: Apr 2008
Location: Coventry, United Kingdom
Distribution: Slackware64, Slackware64 13.37, linuxslackware
Posts: 81

Rep: Reputation: 19
Quote:
Originally Posted by kikinovak View Post
...
Though I must add in practical life, the security flaw is next to zero. My most "dangerous" users are 15-20-year-old students in a school, and they do in fact login to the server on my desk sometimes... only to be bored to death after two seconds because "there's only this black and white thingy there's not even a mouse".
Well, although this kind of "psychological" firewall could be valid for the majority of 15~20-years-old students so used to MS Windows or OSX, that is not going to prevent one or two "wannabe-hacker" juveniles trying to challenge the system, IMHO.
 
Old 09-18-2012, 06:33 AM   #8
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Quote:
Originally Posted by kikinovak View Post
It's not only this single install. More often that not, I get called in small companies or local administrations to replace the Windows-only network by either a Linux network or a mixed network. Most of the time, I don't get to choose the physical location of server and clients. They're already there. So I have to deal with it.

Though I must add in practical life, the security flaw is next to zero. My most "dangerous" users are 15-20-year-old students in a school, and they do in fact login to the server on my desk sometimes... only to be bored to death after two seconds because "there's only this black and white thingy there's not even a mouse".
Hello,

Let's hope they all will be bored very soon when they login and that you don't have a wannabee script kiddie in your class as already indicated by caduqued.

Kind regards,

Eric
 
Old 09-18-2012, 07:40 AM   #9
ml4711
Member
 
Registered: Aug 2012
Location: Ryomgård, Danmark
Distribution: Slackware64
Posts: 78

Rep: Reputation: 37
To prevent login by xdm. kdm, you can test on $DISPLAY and $USER in the Xsession file,
and then just exit if you do not like the combination of the two variables.

Be sure you have the exact value of the DISPLAY variable,
and then if $DISPLAY is ":0.0" put something like this quite early in the Xsession file:

# Exit if user not allowed
if [ "x$DISPLAY" = "x:0.0" -a "$USER" != "kiki" ]; then
exit
fi

And also you have to prevent login on the virtual console.

Last edited by ml4711; 09-18-2012 at 07:42 AM.
 
  


Reply

Tags
login, nfs, nis, samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nis-nfs server configuration ashish81_surat Linux - Newbie 2 05-18-2011 06:20 AM
[SOLVED] Solaris 9 nis users home drive share with nfs user only permissions kashifazizawan Solaris / OpenSolaris 2 01-19-2011 04:49 AM
how to restrict a user in NIS from logging on to a particular server dbmacartney Linux - Server 6 07-28-2010 08:31 AM
Prevent NIS users from seeing passwd haiders Linux - Newbie 1 03-28-2008 04:59 PM
problem logging in local users - nis,nfs synfield Linux - Networking 3 04-05-2003 09:04 AM


All times are GMT -5. The time now is 05:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration