[techtalk] login restriction

[Susannah D. Rosenberg]

Brian Sweeney wrote:
> 
> Hey all-
> 
> Thanks everyone for the responses; the setting login to /bin/false is a neat
> trick.  Also, FYI to those who feared for the security of my server, I DO
> have a firewall implemented, and this machine is behind it.  I don't have to
> worry as much about what ports are open where b/c the firewall only lets
> SMTP traffic connect to the server from the outside world, and it has some
> decent anti-spoofing in case someone tries to pretend their on my team. ;-).
> I was really just concerned with some dumb-luck user reading about a "nifty
> telnet thingy" on the web and doing damage purely by accident.  Hence my
> wanting to lock them out.  I do try and be of the minimalist school whenever
> possible "If they don't NEED it, don't give it...".  Oh, and I typoed
> before; I'm running RHL6.1...but thanks for the tips on 6.0, I didn't
> realize it was so bad.  *SIGH* too many servers to administer...;-)
> 
> Does anybody know, on a side note, why the /etc/security/access.conf file is
> there by default, to be used by PAM, even though it apparently doesn't do
> anything?

well, i've never actually played around with the file before (yet), but
one of the lines in my default seems to be involve denying console
logins to all but certain accounts, only letting certain people login
remotely, etc, etc. it /looks/ very similar to a by-user-account/group
version of /etc/hosts.deny