Hello-

This isn't quite a UNIX question, but this seemed like the best place for it, so....

I'm trying to create a user on my machine that guests to my home can use to check their e-mail and surf the Web. I would like to set this user up with a fairly obvious password (like "guest") so that people don't need my help every time they want to log in.

I'm confident in the physical security of my machine (i.e., no one's going to get into my office without my knowledge -- and if they do, I have bigger problems than the fact that they'll be able to access a user account on my computer). However, I don't want to leave myself open to outside attacks. I have ssh access set up under my user account. I know that when you set up a new user, you can turn off "remote access" and the like under the Sharing panel. Will this ensure that the ONLY way to log in as this user will be at the computer's physical keyboard?

Thanks in advance,
jf

Turning on/off Personal Sharing & Remote Access can only be done by an admin user. It's an all or nothing thing, so in order to keep outsiders from getting into that machine via ssh you'd have to 1) turn off ssh or 2) have a very good password.

yes, i just tried this out and noticed this fact! i've discovered another way to work around this: identify the password in the "long name" of the user that appears on the login screen. thus it can be a "strong" password but still obvious to anyone actually sitting at the computer, though not a remote attacker. how does that sound?

jf

I wouldn't do that.. You'd be surpised the strange places that your long name shows up.. it could be given away by your web browser or a chat client, etc. You could just put the password in the password hint field, or (the 'safest' solution) just put a sticky note on your monitor with the password and change it often.

I don't know what the facilities in the Accounts Preferences pane do, but a reading of 'man sshd_config' shows that you can specify who gets ssh access via the AllowUsers and AllowGroups directives in /etc/sshd_config.

another way to block ssh in this guest user situation is to assign /sbin/nologin as the account's login shell in netinfo manager.

no?

[edit: added "login shell"]

thanks everyone for your help! the solution that i used is as follows:

1. open /etc/sshd_conifg in your favorite text editor.

2. add the following line:

AllowUsers username1 username2

replacing username1 and 2 with the short usernames of those users who *will* be able to log in via ssh. you can add as many as you want, separated by spaces.

3. restart the ssh daemon (or, as i did, the computer)

voila! if anyone attempts to log in via ssh with a username that is not in the list after "AllowUsers", it will be as if they are trying to log in to an account that does not exist.

Very cool.. good to know.