user login by physical console only?

Mike mike at
Thu Feb 22 21:09:15 PST 2001

I'm looking at RedHat 7 which has this file as /etc/security/access.conf.
I imagine you could put some rules in there to only allow certain users to
login from the console....but it didn't work for me when I just tried.

I created a group called "locals" and added to that group those
accounts (mike) I only wanted to login locally. Then put the following in

+ : ALL EXCEPT locals : ALL
- : locals : ALL EXCEPT localhost

When that failed to produce proper results I tried:

- : mike : ALL
+ : ALL EXCEPT locals : ALL
- : locals : ALL EXCEPT localhost

and then I rebooted, just for good measure. It would still let the
"mike" account log in from the network. Uggh. So in short I don't know
how this pam stuff works nor how it could help you. How's that for not

-=<(| mike at |)>=-

On Thu, 22 Feb 2001 at 18:59, michael scott frank wrote:

|I believe this will work if you're not using X (since processes forked

|from X are allocated ptys). Edit /etc/login.access and to look more or

|less like this (you might have to adjust depending on the number of ttys

|you allocate at boot time):


|+:ALL:tty0 tty1 tty2 tty3 tty4 tty5



|This will allow anyone to log in on ttys 0 - 5, and deny otherwise.

|I don't have time to test it (would require me to physically log into my

|server to revert back) but this looks right, looking at the man page.





|------------------------- .~.

|Michael Frank /v\

|msfrank at // \\

|------------------------ /( )\

| ^`~'^


|On Thu, 22 Feb 2001, Benjamin Honsinger wrote:


|> I believe I remember having once read about a way to specify that a certain

|> user can only login from the console, and not through _any_ services over a

|> network. Does someone know how to do this? And if so, does it mitigate security

|> concerns regarding the internet and that user? I'm asking because I have

|> several computers setup with _simple_ dictionary user names and passwords.

|> Obviously this could be a security concern, but having secure passwords isn't

|> very feasible (ie technology hating users who wouldn't stand for typing in

|> hard, long passwords). These users will only ever access the machine

|> physically.

|> As a side note, even if the password was secure, with everyone at school

|> knowing it, it could get on the internet easy, and a hacker could get it.

|> I do have all services like telnet, ftp, etc turned off, I'm just looking was

|> to continually improve security.

|> Thanks!


|> - Ben Honsinger



More information about the Linux mailing list