disable console access

[milo974]

Hello,

I ve put a firewall using OpenBSD 4.6
I use SSH Connection with public key to administrate it.
I want now to disable console access(login on machine). How can i achieve this goal ?
(i want only ssh access)

Thank's

[BSDfan666]

Preventing users from logging on the console won't help with physical security, a user with access to the system can always boot single user or via a RAMDISK kernel.. perhaps steal the entire system (..or drives).

There is no supported way of doing what you ask, beyond simply unplugging the keyboard or monitor.. or setting up a serial console.

[J65nko]

How about being generous with Superglue on the PS/2 and USB connectors on the firewall? That way nobody can use a keyboard

To be serious, if you cannot prevent physical access by unauthorized persons, there is no true security. Even if you would disable console access, they still can press the RESET button, pull out the power cord, or change the disk or CF card.

If they take your disk out, put it in another machine, reboot it single user mode, they can change the root password, remove or change your SSH keys. If after that, they put back the disk, you have a slight problem

[There0]

Quote:

(i want only ssh access)

This wish is only going to cause you problems, speculate for a moment a misconfigured or other big OOPS that kills your SSH connectivity.

Do you believe that somebody with some knowledge is not going to be able to "break" into your machine via single user mode? or booting up from other media? If you have the option of physically locking up the room, this is perhaps what you may be really wanting and should focus on achieving.

I have "broken" into many a Linux box (VERY EASILY) because the "expert" that set it up had no clue about security or otherwise. I marvel at how many HTTP "servers" are running Bluetooth daemons and GUI's (and worse), just because it's enabled by default and they really have no clue.

Quote:

How about being generous with Superglue on the PS/2 and USB connectors on the firewall?

I got a BAD visual on that one i love my equipment but do agree with punishing unauthorized persons to the maximum, especially when the glue gets them and you can physically get an opportunity to deal with them

[J65nko]

@There0, Superglue dries within minutes. It was meant to to make it impossible to connect a keyboard.

About 30 years ago a Marxist/Maoist group called "Rode Jeugd" (Red Youth) put Superglue in the slots of all parking meters of a big car park in front of the train station in Eindhoven, here in the Netherlands. For years everybody could park for free there

[jggimi]

You can -logically- disable login from the console. See ttys(5) and the /etc/ttys file.

As stated, this will not prevent access to the boot> prompt, or to obtaining single user mode, only login and shell access to a running system.

In the event of an sshd(8) problem, single user mode would be required.

[There0]

Quote:

@There0, Superglue dries within minutes. It was meant to to make it impossible to connect a keyboard.

I am aware of how Superglue works (and have glued many items in my youth), FTR there is a product produced by GPAtom from Germany that makes SuperGlue look like water, and bonds in seconds. Just the thought of me doing that to things that i like (i spend mucho denaro on my equipment) i would rather break some fingers and set and example

Perhaps a (long) video with sound (triggered by walking into the room) of a persons getting mangled whilst trying to access your keyboard/mouse/console would deter would be evil-doers? And perhaps one of those Gimp fellows from Pulp Fiction as a second layer of defense? The Gimp can work the SuperGlue.

I would stay away

[TerryP]

Quote:

Originally Posted by J65nko

How about being generous with Superglue on the PS/2 and USB connectors on the firewall? That way nobody can use a keyboard

To be serious, if you cannot prevent physical access by unauthorized persons, there is no true security. Even if you would disable console access, they still can press the RESET button, pull out the power cord, or change the disk or CF card.

If they take your disk out, put it in another machine, reboot it single user mode, they can change the root password, remove or change your SSH keys. If after that, they put back the disk, you have a slight problem

Quoted because it is the best post in the thread!!!

[J65nko]

Quote:

Originally Posted by jggimi

You can -logically- disable login from the console. See ttys(5) and the /etc/ttys file

If you leave then 'on' and remove the 'secure' option, even root will be asked for a password.

Code:

# name  getty                           type    status          comments
#
console "/usr/libexec/getty Pc"         vt220   off secure
ttyC0   "/usr/libexec/getty Pc"         vt220   on  secure
ttyC1   "/usr/libexec/getty Pc"         vt220   on  secure
ttyC2   "/usr/libexec/getty Pc"         vt220   on  secure
ttyC3   "/usr/libexec/getty Pc"         vt220   on  secure

[Carpetsmoker]

Actually, one of customers (Philips) once used j65nko's suggestion, using PUR someone glued all the cabled to the machine, both internal and external.
It was, by the way, not even a security critical machine, I think they did it to prevent vandalism since the machine was in a (semi)public place ...

In any case, I could have cut the cables and solder new connections to them, so if I would really want to I could have taken out the drive and accessed the data anyway.
I guess you can also glue or weld the case shut so it wouldn't be so easy to open, but then I would still have a circle saw

It does take more time to access the machine, and also more resources and skills, but at this point you have to wonder just how secure is "secure enough".

Personally, I think putting the machine in a room and locking the door would be more secure and a hell of a lot easier than the above "suggestions"