Refuse Login (mini) HOWTO

Refuse Login (mini) HOWTO


        If there are any questions or comments, please direct them to The newest copy of this HowTo can always be retrieved
from All rights for the reproduction of this
document are reserved.


	This mini HowTo will discuss several methods for refusing remote
login to user accounts.

        1.      Introduction
        2.      Two General Uses

	        2.1.    Denying Both Remote and Local Logins
	        2.2.    Denying Only Remote Logins

		        2.2.1.  Method One: login.access
		        2.2.2.  Method Two: Login Classes

	3.	Appendix

	1.	Introduction

	Refusing remote logins can have a number of uses. If, for
instance, a user's account has expired and one wants to deny login access
until the account has been renewed, deny remote logins will be necessary.
If one wants to have protected accounts which no one should be able to
remotely access, this too will be a necessary issue; or, if one wants to
create a new daemon entry, denying remote logins will be imperative.

	2.	Two General Uses

	There are two general approaches for denying remote logins. One is
to only deny remote logins, but to allow local logins via login(1) or
su(1), such as in the instance of special protected users. The other is to
deny both remote and local logins, such as in the instance of daemon
entries in /etc/passwd.

	2.1.	Denying Both Remote and Local Logins

	This is relatively simple to accomplish. If one, for instance,
adds a new daemon entry in /etc/passwd and wishes one not be able to log
into it via any means, two things must be done. The account entry can be
added via vipw(8) or passwd(1).

	If adding with passwd(1), specify that the account will have no
password, and use /sbin/nologin as the login shell for the account.
nologin(8) is a convenient utility for politely refusing logins.

	If adding with vipw(8), specify '*' in the password field for the
account, and /sbin/nologin in the last field, which is for the login shell
the account will use. '*' in the password field will notify the system
that the account has no password and is not a regular login account.

	All login failures to accounts with nologin(8) are logged in

	2.2.	Denying Only Remote Logins

	2.2.1.	Method One: login.access

	Denying only remote logins can be accomplished in more than one
fashion. The most convenient is to use the login.access(5) facility in
FreeBSD. It is a simple, but robust, method for controlling login access
to user accounts. To refuse remote login access to any account, use the
following syntax for adding lines into /etc/login.access:

	-:<user>:ALL EXCEPT console

	Replace <user> with the user which should be denied remote login
access. With this login, when any login attempt to that account is made
from anywhere but the console, it will be denied with a "Permission
denied." message and a message with the following syntax will be logged to

	<host> login: LOGIN <user> REFUSED (ACCESS) FROM <remote host> ON
TTY <ttyp>  

	For information on more complex login.access(5) usage, please
check out Login.Access-HOWTO at

	2.2.2.	Method Two: Login Classes

	A very powerful user access method is to use login classes. The
advantage of login classes is that it offers far more control over user
resources and authentication methods. A Special login class can be created
that will be used especially for accounts that can not have any remote
logins. Then, among other entries, the following can be added:\

	In the above example, only logins from would be
allowed for users in that login class. Make sure that the host specifed is
the local host of the machine the users are on, and login attempts from
anywhere except there will be denied.

	To learn more about creating and managing login classes, read the
Login-Class-HOWTO at
	3.	Appendix
	Login.Access-HOWTO @
	Login-Class-HOWTO @

Leave a Reply

Your email address will not be published. Required fields are marked *