Date: Fri, 28 Nov 2003 01:43:13 +0100 (CET) From: "Cordula's Web" <cpghost@cordula.ws> To: Jonas.Trollvik@telia.com Cc: freebsd-questions@freebsd.org Subject: Re: sshd not respecting login.access Message-ID: <200311280043.hAS0hDMA069865@fw.farid-hajji.net> In-Reply-To: <004a01c3b53f$365d5800$0600a8c0@slix> (Jonas.Trollvik@telia.com) References: <004a01c3b53f$365d5800$0600a8c0@slix>
next in thread | previous in thread | raw e-mail | index | archive | help
> I've been using login.access for a long while, it hasnt occured to > me until now that sshd isnt taking that file into account. No users > (except me) can log in to my system with telnet and they shouldnt > with sshd. login.access is only used by login(1), not by sshd. This is also the reason why time-limited logins and other nice configurable features are not possible to enforce with ssh. They are login(1)-specific. > Is there a workaround for this? Wouldnt it be considered a serious > bug that sshd doesnt parse this file? You could enable UseLogin in /etc/ssh/sshd_config but this is NOT recommended! See sshd_config(5). If sshd were fully PAMified, you could try to plug in some pam modules to enforce access policy. You'll have to test your setup thoroughly. I've tried this with a custom time class PAM module only to discover that sshd doesn't really interact all that well with such modules. Beware, and test. > Best Regards > Jonas Trollvik -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311280043.hAS0hDMA069865>