From owner-freebsd-questions@FreeBSD.ORG  Thu Nov 27 16:43:55 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C447E16A4CE
	for <freebsd-questions@freebsd.org>;
	Thu, 27 Nov 2003 16:43:55 -0800 (PST)
Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2AA4E43FCB
	for <freebsd-questions@freebsd.org>;
	Thu, 27 Nov 2003 16:43:54 -0800 (PST)
	(envelope-from cpghost@cordula.ws)
Received: from fw.farid-hajji.net (localhost [127.0.0.1])
	by fw.farid-hajji.net (8.12.10/8.12.10) with ESMTP id hAS0hDMA069865;
	Fri, 28 Nov 2003 01:43:14 +0100 (CET)
	(envelope-from cpghost@cordula.ws)
Date: Fri, 28 Nov 2003 01:43:13 +0100 (CET)
Message-Id: <200311280043.hAS0hDMA069865@fw.farid-hajji.net>
From: "Cordula's Web" <cpghost@cordula.ws>
To: Jonas.Trollvik@telia.com
In-reply-to: <004a01c3b53f$365d5800$0600a8c0@slix> (Jonas.Trollvik@telia.com)
X-Mailer: Emacs-21.3.1/FreeBSD-4.9-STABLE
References: <004a01c3b53f$365d5800$0600a8c0@slix>
cc: freebsd-questions@freebsd.org
Subject: Re: sshd not respecting login.access
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: cpghost@cordula.ws
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2003 00:43:55 -0000

> I've been using login.access for a long while, it hasnt occured to
> me until now that sshd isnt taking that file into account. No users
> (except me) can log in to my system with telnet and they shouldnt
> with sshd.

login.access is only used by login(1), not by sshd.

This is also the reason why time-limited logins and other nice
configurable features are not possible to enforce with ssh. They
are login(1)-specific.

> Is there a workaround for this? Wouldnt it be considered a serious
> bug that sshd doesnt parse this file?

You could enable UseLogin in /etc/ssh/sshd_config
but this is NOT recommended! See sshd_config(5).

If sshd were fully PAMified, you could try to plug in some pam
modules to enforce access policy. You'll have to test your setup
thoroughly. I've tried this with a custom time class PAM module
only to discover that sshd doesn't really interact all that well
with such modules. Beware, and test.

> Best Regards
> Jonas Trollvik

-- 
Cordula's Web. http://www.cordula.ws/