-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Buck 提到: > > > I don't know if I am misunderstanding you or you are misunderstanding > me. You come across as if you believe that I don't want the users to > log in from their own computers. That isn't the case. Their usernames > and passwords are syncronized on the server and the workstations. When > they log in on the workstations, that logs them into the server > transparantly. My problem has been that the server sat on a table in an > open public area. The employees on the workstations gave their > passwords out as freely as a resteraunt gives party mints. Employees > that have no computers or access give the passwords to their kids and > let the kids free on the computers or they use the workstations to surf > the web, porn sites, etc. The server is a Windows 2000 Pro computer and > I have it set up so that only the administrator can log into the server > computer from the server location. Users can't. Yes, That is what I'm saying. Just change one or two test user on the server password files to false or nologin then have a try on the server. This *will not* prevent your user login using samba on the workstation. (As that is actually different then Login on linux.). > I setup an open workstation with guest priviliges so that family and > non-workstation employees had a computer to work on and it quickly > became known and the "porno shop", a name that sticks with it today even > tho it is someone's workstation now. Every employee has a key to the > door and come and go all hours of the night and day. One even left a > total stranger alone in the building thinking she had her own key. > When it comes to security, this place makes a security nightmare look > like Sunday afternoon walk. I do suggest you have a proxy server setup and control the web access over the server. If you really want to make the client to be "Guest" login only check on the LDAP Auth Guide, Which you can actually control which host can a user login from and which host cannot. Or Even More Stronger Way, Split this Workstation into another subnet Mask and then Do a routing on the server. Have the samba configure so that This Workstation will be restricted. More information look on smb.conf host allow, host deny BTW, I'm not sure what is this open workstation is for, just give me some clear Idea what this "guy" is working I might have some better idea. > > If I understand you correctly, in the linux box, if I do as you say, not > even root will be able to log into the server except through a remote > computer. Just change the user right Not the Root. Using Pam will actually do the samethings, IF 1) All user is under one group (which is restricted (nologin) on the server) 2) Pam is setup up correctly (have a look on the ftp setup on the pam.d dir it have the good example) > > My terminology has much to be desired, I know. I am thinking now it > would be better understood if I said I want to block all users except > for administration from logging in locally. I would like to log in > locally or remotely from another linux box. I will be the only one with > a linux box to log in thru SSH. I know pamd seem to be hard for a new user, but trust me, once you get know it, you will love it. have a look on the /etc/pam.d/ftp to see how ftp user is restricted. > I am not familiar with the "Virtual terminal" but I understand enough > about pam to know its related to some kind of password security. I > haven't gotten that far in my learning yet. > > I say that security is a nightmare, I really can't be worse that what > some of you have to put up with when MS supported worms get loose. I > know there has been a lot of that in the last year. My real problem is > that it is my responsibility to keep the system running and yet too many > employees don't take it serious. I could make a lot more money letting > the employees do what they want and constantly clean up behind them like > I had to several years ago, but I like to sleep when I go to bed. Two > weeks ago, the employee on the most critical workstation in the company > told me she appreciated having a reliable computer. This is what I do to prevnet things get worst, Get a Proxy server to work and No Direct internet access from Client. If the network have somehow label with "Public" Or "Private" use, Split them up with subnet Mask. So that Public PC cannot use Private user username and password. Where it is same for the Private use. LDAP user Auth Might be a Very good for this host Restrictation, so that user can only login through the allow hosts. Anyway, there are still a few things need to be know, Pam support in Samba use plain text password, and LDAP support on samba 2.2.x is not that strong. But don't worry, the only problem you get when using LDAP Auth is that, user wouldn't be able to change their own password in the Control Panel (I haven't got a clue on a easy way to do that yet) Just setup LDAP Auth and get the nsswitch.conf ready, then get the Host restrictation ready, you will not need to change the samba configuration much for that. And it will RUN :). Thank You Chan Min Wai -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/eHtlV0p9slMZLW4RAuEVAJ9r+nKBMVBaVyi38wrelO2Yig9cxwCgjEft q8vEU6BpJyCCIMeUmkDtr/I= =wNq6 -----END PGP SIGNATURE----- -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list