- •Table of Contents
- •Dedication
- •Foreword
- •Introduction
- •What Is FreeBSD?
- •How Did FreeBSD Get Here?
- •The BSD License: BSD Goes Public
- •The Birth of Modern FreeBSD
- •FreeBSD Development
- •Committers
- •Contributors
- •Users
- •Other BSDs
- •NetBSD
- •OpenBSD
- •Other UNIXes
- •Solaris
- •Linux
- •IRIX, HPUX, etc.
- •FreeBSD's Strengths
- •Portability
- •Power
- •Simplified Software Management
- •Optimized Upgrade Process
- •Filesystem
- •Who Should Use FreeBSD
- •FreeBSD as Your Desktop
- •Who Should Run Another BSD
- •Who Should Run a Proprietary Operating System
- •How to Read This Book
- •What Must You Know?
- •How to Think About UNIX
- •Channels of Communication
- •Working with Channels
- •The Command Line
- •Chapter 1: Installation
- •FreeBSD Hardware
- •Processor
- •Memory (RAM)
- •Hard Drives
- •Downloading FreeBSD
- •Installing by FTP
- •Other FTP Install Information
- •Hardware Setup
- •Actually Installing FreeBSD
- •Configuring the Kernel for ISA Cards
- •Sysinstall: The Ugly FreeBSD Installer
- •Disk Usage
- •Partitioning
- •Root
- •Swap Space
- •Swap Splitting
- •/var, /usr, and /home
- •A Second Hard Drive
- •Soft Updates
- •Block Size
- •What to Install
- •Installation Media
- •Committing
- •Root Password
- •Adding Users
- •Time Zone
- •Mouse
- •Configuring Network Cards
- •Xfree86
- •Software
- •Restart
- •A Note on Editors
- •Chapter 2: Getting More Help
- •Why Not Mail First?
- •The FreeBSD Attitude
- •Man Pages
- •The FreeBSD Manual
- •Man Page Headings
- •The FreeBSD Documentation
- •The Mailing List Archives
- •Other Web Sites
- •Checking the Handbook/FAQ
- •Checking the Man Pages
- •Checking the Mailing List Archives
- •Using Your Answer
- •Mailing for Help
- •Chapter 3: Read This Before You Break Something Else! (Backup and Recovery)
- •Overview
- •System Backups
- •Tape Devices
- •How to Read Dmesg.boot
- •Controlling Your Tape Drive
- •Device Nodes
- •Using the TAPE Variable
- •The mt Command
- •Backup Programs
- •Dump/Restore
- •Restoring from an Archive
- •Checking the Contents of an Archive
- •Extracting Data from an Archive
- •Restoring Interactively
- •Recording What Happened
- •Revision Control
- •Getting Older Versions
- •Breaking Locks
- •Viewing Log Messages
- •Reviewing a File's Revision History
- •Ident and ident Strings
- •Going Further
- •The Fixit Disk
- •Chapter 4: Kernel Games
- •Overview
- •What Is the Kernel?
- •Configuring Your Kernel
- •Sysctl
- •Changing Sysctls
- •Setting Sysctls at Boot
- •Kernel Configuration with Loader.conf
- •Manually Configuring the Loader
- •Viewing Loaded Modules
- •Loading and Unloading Modules
- •Customizing the Kernel
- •Preparation
- •Your Backup Kernel
- •Editing Kernel Files
- •Basic Options
- •Multiple Processors
- •Device Entries
- •Building Your Kernel
- •Troubleshooting Kernel Builds
- •Booting an Alternate Kernel
- •Adding to the Kernel
- •LINT
- •Fixing Errors with Options
- •Tweaking Kernel Performance
- •Sharing Kernels
- •Chapter 5: Networking
- •Overview
- •Network Layers
- •The Physical Layer
- •The Physical Protocol Layer
- •The Logical Protocol Layer
- •The Application Layer
- •The Network in Practice
- •Mbufs
- •What Is a Bit?
- •Ethernet
- •Broadcasting
- •Address Resolution
- •Hubs and Switches
- •Netmasks
- •Netmask Tricks
- •Hexadecimal Netmasks
- •Unusable IP Addresses
- •Routing
- •Network Ports
- •Connecting to an Ethernet Network
- •Multiple IP Addresses on One Interface
- •Using Netstat
- •Chapter 6: Upgrading FreeBSD
- •Overview
- •FreeBSD Versions
- •Release
- •Snapshots
- •Security Updates
- •Which Release Should You Use?
- •Upgrade Methods
- •Upgrading via Sysinstall
- •Upgrading via CVSup
- •Simplifying the CVSup Upgrade Process
- •Building a Local CVSup Server
- •Controlling Access
- •Authentication
- •Combining Authentication and Access
- •Chapter 7: Securing Your System
- •Overview
- •Who Is the Enemy?
- •Script Kiddies
- •Disaffected Users
- •Skilled Attackers
- •FreeBSD Security Announcements
- •Subscribing
- •What You'll Get
- •Installation Security Profiles
- •Moderate
- •Extreme
- •Root, Groups, and Permissions
- •The root Password
- •Groups of Users
- •Primary Group
- •Some Interesting Default Groups
- •Group Permissions
- •Changing Permissions
- •Changing File Ownership
- •Assigning Permissions
- •File Flags
- •Viewing a File's Flags
- •Setting Flags
- •Securelevels
- •Setting Securelevels
- •Which Securelevel Do You Need?
- •What Won't Securelevel and File Flags Do?
- •Living with Securelevels
- •Programs That Can Be Hacked
- •Putting It All Together
- •Chapter 8: Advanced Security Features
- •Traffic Control
- •Default Accept vs. Default Deny
- •TCP Wrappers
- •Configuring Wrappers
- •Daemon Name
- •The Client List
- •Putting It All Together
- •Packet Filtering
- •IPFilter
- •IPFW
- •Default Accept and Default Deny in Packet Filtering
- •Basic Concepts of Packet Filtering
- •Implementing IPFilter
- •Configuring Your Server to Use Jail
- •Configuring Your Kernel to Use Jail
- •Client Setup
- •Final Jail Setup
- •Starting the Jail
- •Managing Jails
- •Shutting Down a Jail
- •Monitoring System Security
- •If You're Hacked
- •Chapter 9: Too Much Information About /etc
- •Overview
- •Varieties of /etc Files
- •Default Files
- •/etc/defaults/rc.conf
- •/etc/adduser.conf
- •/etc/crontab
- •/etc/dhclient.conf
- •/etc/fstab
- •/etc/hosts.allow
- •/etc/hosts.equiv
- •/etc/hosts.lpd
- •/etc/inetd.conf
- •/etc/locate.rc
- •/etc/login.access
- •/etc/login.conf
- •Specifying Default Environment Settings
- •/etc/mail/mailer.conf
- •/etc/make.conf and /etc/defaults/make.conf
- •/etc/master.passwd
- •/etc/motd
- •/etc/mtree/*
- •/etc/namedb/*
- •/etc/newsyslog.conf
- •/etc/passwd
- •/etc/periodic.conf and /etc/defaults/periodic.conf
- •/etc/printcap
- •Working with Printcap Entries
- •/etc/profile
- •/etc/protocols
- •/etc/rc.conf and /etc/defaults/rc.conf
- •/etc/resolv.conf
- •/etc/security
- •/etc/services
- •/etc/shells
- •/etc/spwd.db
- •/etc/sysctl.conf
- •/etc/syslog.conf
- •Chapter 10: Making Your System Useful
- •Overview
- •Making Software
- •The Pain and Pleasure of Source Code
- •Debugging
- •The Ports and Packages System
- •Ports
- •Finding Software
- •Legal Restrictions
- •Using Packages
- •Installing via FTP
- •What Does a Package Install?
- •Uninstalling Packages
- •Package Information
- •Controlling Pkg_add
- •Package Problems
- •Forcing an Install
- •Using Ports
- •Installing a Port
- •Using Make Install
- •Uninstalling and Reinstalling
- •Cleaning Up with Make Clean
- •Building Packages
- •Changing the Install Path
- •Setting Make Options Permanently
- •Upgrading Ports and Packages
- •Upgrading the Ports Collection
- •Ports Collection Upgrade Issues
- •Checking Software Versions
- •Hints for Upgrading
- •Chapter 11: Advanced Software Management
- •Overview
- •Startup and Shutdown Scripts
- •Typical Startup Script
- •Using Scripts to Manage Running Programs
- •Managing Shared Libraries
- •Ldconfig
- •Running Software from the Wrong OS
- •Recompilation
- •Emulation
- •ABI Implementation
- •Foreign Software Libraries
- •Installing and Enabling Linux Mode
- •Identifying Programs
- •What Is Linux_base?
- •Adding to Linux_base
- •Configuring Linux Shared Libraries
- •Installing Extra Linux Packages as RPMs
- •What Is SMP?
- •Kernel Assumptions
- •FreeBSD 3.0 SMP
- •FreeBSD 5 SMP
- •Using SMP
- •SMP and Upgrades
- •Chapter 12: Finding Hosts With DNS
- •How DNS Works
- •Basic DNS Tools
- •The Host Command
- •Getting Detailed Information with Dig
- •Looking Up Hostnames with Dig
- •More Dig Options
- •Configuring a DNS Client: The Resolver
- •Domain or Search Keywords
- •The Nameserver List
- •DNS Information Sources
- •The Hosts File
- •The Named Daemon
- •Zone Files
- •A Real Sample Zone
- •named.conf
- •/var/named/master/absolutebsd.com
- •Making Changes Work
- •Starting Named at Boottime
- •Checking DNS
- •Named Configuration Errors
- •Named Security
- •Controlling Information Order
- •More About BIND
- •Chapter 13: Managing Small Network Services
- •Bandwidth Control
- •Configuring IPFW
- •Reviewing IPFW Rules
- •Dummynet Queues
- •Directional Traffic Shaping
- •Certificates
- •Create a Request
- •Being Your Own CA
- •Testing SSH
- •Enabling SSH
- •Basics of SSH
- •Creating Keys
- •Confirming SSH Identity
- •SSH Clients
- •Connecting via SSH
- •Configuring SSH
- •System Time
- •Setting the Time Zone
- •Network Time Protocol
- •Ntpdate
- •Ntpd
- •Inetd
- •/etc/inetd.conf
- •Configuring Programs in Inetd
- •Inetd Security
- •Starting Inetd
- •Changing Inetd's Behavior
- •Chapter 14: Email Services
- •Email Overview
- •Where FreeBSD Fits In
- •The Email Protocol
- •Email Programs
- •Who Needs Sendmail?
- •Replacing Sendmail
- •Installing Postfix
- •Pieces of Postfix
- •Configuring Postfix
- •Email Aliases
- •Email Logging
- •Virtual Domains
- •Postfix Commands
- •Finding the Correct Mail Host
- •Undeliverable Mail
- •Installing POP3
- •Testing POP3
- •POP3 Logging
- •POP3 Modes
- •Qpopper Preconfiguration Questions
- •Default Qpopper Configuration
- •APOP Setup
- •Configuring Pop3ssl
- •Qpopper Security
- •Chapter 15: Web and FTP Services
- •Overview
- •How a Web Server Works
- •The Apache Web Server
- •Apache Configuration Files
- •Configuring Apache
- •Controlling Apache
- •Virtual Hosting
- •Tweaking Virtual Hosts
- •.NET on FreeBSD
- •Installing the SSCLI
- •FTP Security
- •The FTP Client
- •The FTP Server
- •Chapter 16: Filsystems and Disks
- •Device Nodes
- •Hard Disks and Partitions
- •The /etc/fstab File
- •Disk Basics
- •The Fast File System
- •Vnodes
- •FFS Mount Types
- •FFS Mount Options
- •What's Mounted Now?
- •Dirty Disks
- •Fsck
- •Mounting and Unmounting Disks
- •Mounting Standard Filesystems
- •Mounting with Options
- •Mounting All Standard Filesystems
- •Mounting at Nonstandard Locations
- •Unmounting
- •Soft Updates
- •Enabling Soft Updates
- •IDE Write Caching and Soft Updates
- •Virtual Memory Directory Caching
- •Mounting Foreign Filesystems
- •Using Foreign Mounts
- •Foreign Filesystem Types
- •Mount Options and Foreign Filesystems
- •Filesystem Permissions
- •Removable Media and /etc/fstab
- •Creating a Floppy
- •Creating an FFS Filesystem
- •The Basics of SCSI
- •SCSI Types
- •SCSI Adapters
- •SCSI Buses
- •Termination and Cabling
- •SCSI IDs and LUNs
- •FreeBSD and SCSI
- •Wiring Down Devices
- •Adding New Hard Disks
- •Creating Slices
- •Creating Partitions
- •Configuring /etc/fstab
- •Installing Existing Files onto New Disks
- •Temporary Mounts
- •Moving Files
- •Stackable Mounts
- •Chapter 17: RAID
- •Hardware vs. Software RAID
- •RAID Levels
- •Software RAID
- •Vinum Disk Components
- •Vinum Plex Types
- •Preparing Vinum Drives
- •Dedicating Partitions to Vinum
- •Configuring Vinum
- •Concatenated Plex
- •Removing Vinum Configuration
- •Striped Volumes
- •Mirrored Volumes
- •Starting Vinum at Boot
- •Other Vinum Commands
- •Replacing a Failed Mirrored Plex
- •Chapter 18: System Performance
- •Overview
- •Computer Resources
- •Disk Input/Output
- •Network Bandwidth
- •CPU and Memory
- •Using Top
- •Memory Usage
- •Swap Space Usage
- •CPU Usage
- •When Swap Goes Bad
- •Paging
- •Swapping
- •Are You Swapping or Paging?
- •Fairness in Benchmarking
- •The Initial Test
- •Using Both CPUs
- •Directory Caching
- •Moving /usr/obj
- •Lessons Learned
- •Chapter 19: Now What's It Doing?
- •Status Mails
- •Forwarding Reports
- •Logging with Syslogd
- •Facilities
- •Levels
- •Syslog.conf
- •Wildcards
- •Rotating Logs with Newsyslog.conf
- •Reporting with SNMP
- •Basics of SNMP
- •MIBs
- •Snmpwalk
- •Specific Snmpwalk Queries
- •Translating Between Numbers and Names
- •Setting Up Snmpd
- •Index Numbers
- •Configuring MRTG
- •Sample mrtg.cfg Entry
- •Testing MRTG
- •Tracking Other System Values
- •Monitoring a Single MIB
- •Customizing MRTG
- •MRTG Index Page
- •Sample MRTG Configurations
- •Chapter 20: System Crashes and Panics
- •What Causes Panics?
- •What Does a Panic Look Like?
- •Responding to a Panic
- •Prerequisites
- •Crash Dump Process
- •The Debugging Kernel
- •kernel.debug
- •Dumpon
- •Savecore
- •Upon a Crash
- •Dumps and Bad Kernels
- •Using the Dump
- •Advanced Kernel Debugging
- •Examining Lines
- •Examining Variables
- •Apparent Gdb Weirdness
- •Results
- •Vmcore and Security
- •Symbols vs. No Symbols
- •Serial Consoles
- •Hardware Serial Console
- •Software Serial Console
- •Changing the Configuration
- •Using a Serial Console
- •Serial Login
- •Emergency Logon Setup
- •Disconnecting the Serial Console
- •Submitting a Problem Report
- •Problem Report System
- •What's in a PR?
- •Filling Out the Form
- •PR Results
- •Chapter 21: Desktop FreeBSD
- •Overview
- •Accessing File Shares
- •Prerequisites
- •Character Sets
- •Kernel Support for CIFS
- •SMB Tools
- •Configuring CIFS
- •Minimum Configuration: Name Resolution
- •Other smbutil Functions
- •Mounting a Share
- •Other mount_smbfs Options
- •Sample nsmb.conf Entries
- •CIFS File Ownership
- •Serving Windows File Shares
- •Accessing Print Servers
- •Running a Local Lpd
- •Printer Testing
- •Local Printers
- •X: A Graphic Interface
- •X Prerequisites
- •X Versions
- •Configuring X
- •Making X Look Decent
- •Desktop Applications
- •Web Browsers
- •Email Readers
- •Office Suites
- •Music
- •Graphics
- •Desk Utilities
- •Games
- •Afterword
- •Overview
- •The Community
- •What Can You Do?
- •Getting Things Done
- •Second Opinions
- •Appendix: Some Useful SYSCTL MIBs
- •List of Figures
- •Chapter 1: Installation
- •Chapter 5: Networking
- •Chapter 6: Upgrading FreeBSD
- •Chapter 19: Now What's It Doing?
- •List of Tables
- •Chapter 4: Kernel Games
- •Chapter 5: Networking
- •Chapter 8: Advanced Security Features
- •Chapter 9: Too Much Information About /etc
- •List of Sidebars
- •Chapter 15: Web and FTP Services
LD_LIBRARY_PATH environment variable, you can set it like so:
...............................................................................................
55 * * * * * dbadmin LD_LIBRARY_PATH=/usr/local/dblib ;/usr/local/bin/db−backup.sh
...............................................................................................
/etc/csh.*
The /etc/csh.* files contain systemwide defaults for csh and tcsh. When a user logs in with either of these shells, the shell executes any commands it finds in /etc/csh.login. Similarly, when the user logs out, /etc/csh.logout is executed. You can place general shell configuration information in /etc/csh.cshrc.
/etc/dhclient.conf
Many operating systems give you very basic DHCP client configuration with no opportunity to fine−tune or customize it; you either use it or you don't. Any operating system that uses the Internet Software Consortium's DHCP client, including all of the BSDs, lets you fine−tune your DHCP client setup.
In most cases, an empty DHCP client file (/etc/dhclient.conf) will give you full DHCP functionality, but won't work correctly in all situations. Perhaps you're connecting to a DHCP server across the country, your local LAN is having problems, or you have multiple DHCP servers. You may be able to solve these problems by tweaking your DHCP configuration. A DHCP lease contains your network configuration information, such as the IP address you get, the default route, and the nameservers available for your use. Without a valid, correct lease, you won't have Internet connectivity.
Entries in dhclient.conf resemble C code and generally include a variable declaration, followed by a value. Each line ends in a semicolon.
Prolonging Lease Requests
When dhclient starts, it requests the last IP address it used (leased) and, by default, spends ten seconds trying to get that address. The reboot time is the length of time the client will spend trying to get the old address re−issued. To change this waiting time, use the reboot statement. For example, I've been on large corporate networks where the DHCP server was in another state; by adjusting the reboot time upwards, I could easily get my previous network address. Just specify the reboot time in dhclient.conf, with a trailing semicolon in standard C code style.
...............................................................................................
reboot 20;
...............................................................................................
If the client cannot get its previous IP address in the reboot time, it will request a new one instead.
191
Rejecting Bad DHCP Servers
One of dhclient's more interesting features is its ability to reject bad DHCP servers. For example, some networks allow just about anyone to hook just about anything to them, like the ones found on exhibition floors or at some development companies. In such situations it's quite possible for there to be a rogue DHCP server on the floor, and if your system receives a DHCP lease that just doesn't work, it might be from a rogue server.
To identify a bad DHCP server, examine the leases you have received in /var/db/dhclient.leases. This file lists all the leases you have ever received, including the bad one. Identifying a bad DHCP server is a matter of trial and error. Get the IP address of each DHCP server, and reject them one at a time until you get a working configuration. For example, if the bad server's address was 192.168.1.84, enter
...............................................................................................
reject 192.168.1.84
...............................................................................................
Note If you find a rogue DHCP server on one of your networks, it's much better to find and disable the rogue server than to patch around it with a reject statement. On a foreign network, however, you don't generally have the privilege to do that.
Announcing Host Information
If you are on someone else's network and feel like being kind to the local network administrator, add a send statement to your dhclient.conf. The DHCP server will record the information you put in your send statement in its lease database. The local network administrator can use this information to find you if your system starts misbehaving and damaging the network. (You might not think this is a good thing, but making yourself easy to find is much better than making the administrator hunt you down.)
...............................................................................................
send host−name "mwlucas−laptop.bigcompany.com";
...............................................................................................
Of the many other options in dhclient.conf, like the ability to refuse leases that don't include information you want, most are relatively useless under normal (and most abnormal) circumstances. For truly detailed information on dhclient's more exotic options read dhclient.conf(5).
/etc/fstab
The /etc/fstab file describes the filesystems on the system. For details on the File System Table, see Chapter 16.
/etc/ftp.*
The /etc/ftp.* files control how the system's FTP server behaves. For details on /etc/ftpusers, /etc/ftpchroot, /etc/ftpwelcome, /etc/ftpmotd, and general FTP operations, see Chapter 15's nice little write−up on FTP.
192
/etc/hosts.allow
The /etc/hosts.allow file controls who can access daemons compiled with TCP Wrappers support. It's covered in painful detail in Chapter 8.
/etc/hosts.equiv
The /etc/hosts.equiv file allows trusted remote systems to log in or run commands on the local system without providing a password or even logging in. Hosts listed in this file are assumed to have performed user authentication on a trusted system, and hence the local system doesn't have to bother re−authenticating the user.
This file is handy and useful on friendly networks, but, unfortunately, there is no such thing as a friendly network nowadays. In fact, any one disgruntled employee can destroy a corporate network with this service. A machine running /etc/hosts.equiv on the naked Internet is pretty much dog meat for the first script kiddie who wanders by. In fact, /etc/hosts.equiv and its related services have even bitten top−notch security experts.
Still, should you decide to use this risky feature, you must have rsh or rlogin, or both, enabled in /etc/inetd.conf (see Chapter 13). The format is simple: a hostname, followed by an optional username.
For example, assume you have two UNIX boxes, "daffy" and "bugs". If bugs's /etc/hosts.equiv includes "daffy", a user on daffy can get a shell on bugs without typing a password.
...............................................................................................
daffy; rlogin bugs
Last login: Tue Apr 3 19:12:08 from 192.168.1.200
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.0−CURRENT (PETULANCE) #0: Mon Aug 21 12:27:59 EDT 2000 You have mail.
bugs;logout
rlogin: connection closed. daffy;
...............................................................................................
See? No password. This works well, unless some intruder has broken into daffy. Remember, if you use this tool, a compromise on one machine means that every machine on your network is compromised. Rlogin and related tools are really unsuitable for any modern networked environment.
With comparatively recent modifications to rlogin and rsh, you can require a password to access another system. If you're going to do that, however, you might as well implement things properly and start using ssh (see Chapter 13).
/etc/hosts.lpd
The /etc/hosts.lpd file is one of the simplest files in /etc. Hosts listed here, each on their own line, may print to the printer(s) controlled by this machine. While you can use hostnames, DNS problems can choke printing, so use IP addresses instead.
193
Unlike many other UNIX configuration files, this one does not accept network numbers or netmasks; you must list individual hostnames or IP addresses.
/etc/inetd.conf
The inetd daemon handles incoming network connections for smaller daemons that don''t run frequently. For details, see the section on inetd in Chapter 13.
/etc/locate.rc
The locate(1) program finds all files of a given name. For example, to find locate.rc, enter the following:
...............................................................................................
# locate locate.rc
/etc/locate.rc
/usr/share/examples/etc/locate.rc
/usr/src/usr.bin/locate/locate/locate.rc
#
...............................................................................................
You'll see that locate.rc can be found in three places. One is in the main /etc directory, the second is in the system examples directory, and the third is in the system source code.
Once a week your FreeBSD system scans its disks, builds a list of everything it finds, and stores that list in a database. The list−building program uses the values shown in /etc/locate.rc as defaults (/etc/locate.rc does not affect how locate(1) itself runs). To change some of those parameters, and thereby change how your locate database is built and what it contains, consider setting the following in /etc/locate.rc:
∙The file−finding program stores its temporary files in TMPDIR. If you're low on space in your system temporary directory, you can change this path.
∙The location of the weekly database can be changed via the FCODES variable. This can have repercussions on other parts of the locate system, however, so be prepared for odd results.
∙The SEARCHPATHS value lists every directory you want searched. This defaults to /, the whole disk; to index only a portion of your disk, set a specific value here.
∙The PRUNEPATHS value lists directories you don't want to index. This defaults to excluding temporary directories that traditionally contain only short−lived files.
∙The FILESYSTEMS variable controls the sort of filesystem you want to index. The default is UFS, the standard FreeBSD filesystem, but you can list other filesystem types, such as MD (memory disks) or NFS (network filesystem). If you have foreign filesystems mounted, such as an EXT2FS partition, you might want to include them as well. (By the way, indexing network filesystems is a bad idea; if all of your servers start indexing the fileserver, you will bog down the network badly.)
/etc/login.access
Some servers have hundreds of users, each with different needs. So how do you assign different privileges to each?
194
FreeBSD includes a few different ways to control user access. The /etc/login.access file controls a user's ability to log in. Every time you try to open a connection to a FreeBSD system, the permissions in login.access are checked first. If login.access contains rules that forbid logins from that user, the login attempt fails immediately. This file defaults to empty, meaning there are no restrictions on anyone with a username and password.
The /etc/login.access file has three colon−delimited fields. The first either grants (+) or denies ( ) the right to log in; the second is a list of users or groups; and the third is a list of connection sources.
The /etc/login.access file permits an "all" and "all except" syntax, much like /etc/hosts.allow uses for TCP Wrappers (see Chapter 8), allowing the administrator to make basic but expressive rules. The login program checks rules on a first−fit basis, rather than a best fit. When the system finds a rule where both the group and the connection source match, it immediately accepts or rejects the connection. As such, rule order is very important.
For example, to only allow members of the wheel group and the user root to log in to the system console, you might try to use:
...............................................................................................
+:wheel root:console
...............................................................................................
The problem with this rule, though, is that it doesn't actually deny users login privileges. Since the default is to accept logins, and all this entry does is explicitly grant login rights to two sets of users, this won't stop people from logging in.[1] Other rules will continue to be processed. If my username is javerage, and I try to log in to the console, this rule doesn't deny me access.
So rather than use a statement like the preceding one, try one like this, the inverse:
...............................................................................................
−:ALL EXCEPT wheel root:console
...............................................................................................
This will reject connections more quickly, and run less risk of administrator error. As a rule, it's best to build your lists by rejecting logins, rather than permitting them.
When applying this rule, we see that Joe Average matches this rule and is immediately rejected. Since rules are applied based on first fit, there's no chance that a later rule will match, so we avoid unintended access.
Connection Source
The last field in the /etc/login.access file, the connection source, has the greatest variety of values. You can use several different types of information here: hostnames, host addresses, network numbers, domain names, LOCAL, and ALL.
195
Hostnames
Hostnames rely upon DNS or the hosts file. If you suspect your nameserver might suffer a hack at some time, you probably don't want to use this system; intruders can give a hostname any IP address that they like, and fool your system into accepting the connection. Still, you could do this:
...............................................................................................
−:ALL EXCEPT wheel:fileserver.mycompany.com
...............................................................................................
Users in your wheel group could log in from the fileserver, but nobody else could.
...............................................................................................
ALL
...............................................................................................
ALL means always match. This is particularly useful in combination with EXCEPT, as we'll see next.
Host Addresses and Networks
Host addresses look like hostnames, but they're immune to spoofed DNS.
...............................................................................................
−:ALL EXCEPT wheel:169.254.8.3
...............................................................................................
A network number is anything that ends in a period, like this:
...............................................................................................
−:ALL EXCEPT wheel:169.254.8.
...............................................................................................
This would allow anyone in the wheel group to log in from a machine whose IP address began with 169.254.8, and deny everyone else.
For example, if you didn't want anyone to access your firewall unless they logged in from a management workstation, you could do something like this:
...............................................................................................
−:ALL EXCEPT wheel:ALL EXCEPT 192.168.89.128 192.168.170.33
...............................................................................................
LOCAL
The most complicated location is LOCAL, which matches any hostname without a dot in it (generally only hosts in the local domain). For example, http://www.absolutebsd.com/ thinks that any host in "AbsoluteBSD.com" matches LOCAL.
This works via reverse DNS (see Chapter 12), which is the process where you look up a host's
196