From owner-freebsd-questions@FreeBSD.ORG Sat Nov 29 11:40:42 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E87116A4CE for ; Sat, 29 Nov 2003 11:40:42 -0800 (PST) Received: from mail.g.bonet.se (mail.g.bonet.se [212.181.52.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB15D43F75 for ; Sat, 29 Nov 2003 11:40:38 -0800 (PST) (envelope-from Jonas.Trollvik@telia.com) Received: from slix (as17-6-2.va.g.bonet.se [217.215.149.195]) by mail.g.bonet.se (8.12.10/8.12.10) with SMTP id hATJdjXS054066 for ; Sat, 29 Nov 2003 20:39:46 +0100 (CET) (envelope-from Jonas.Trollvik@telia.com) Message-ID: <012501c3b6b0$ab79ee60$0600a8c0@slix> From: "Jonas Trollvik" To: References: <004a01c3b53f$365d5800$0600a8c0@slix> <200311280043.hAS0hDMA069865@fw.farid-hajji.net> Date: Sat, 29 Nov 2003 20:40:39 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: sshd not respecting login.access X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2003 19:40:42 -0000 Thanks, I'll go for the uselogin option since Im only going to use it for text-terminals. Would there be any security risks using this option? Best Regards Jonas Trollvik ----- Original Message ----- From: "Cordula's Web" To: Cc: Sent: Friday, November 28, 2003 1:43 AM Subject: Re: sshd not respecting login.access > > I've been using login.access for a long while, it hasnt occured to > > me until now that sshd isnt taking that file into account. No users > > (except me) can log in to my system with telnet and they shouldnt > > with sshd. > > login.access is only used by login(1), not by sshd. > > This is also the reason why time-limited logins and other nice > configurable features are not possible to enforce with ssh. They > are login(1)-specific. > > > Is there a workaround for this? Wouldnt it be considered a serious > > bug that sshd doesnt parse this file? > > You could enable UseLogin in /etc/ssh/sshd_config > but this is NOT recommended! See sshd_config(5). > > If sshd were fully PAMified, you could try to plug in some pam > modules to enforce access policy. You'll have to test your setup > thoroughly. I've tried this with a custom time class PAM module > only to discover that sshd doesn't really interact all that well > with such modules. Beware, and test. > > > Best Regards > > Jonas Trollvik > > -- > Cordula's Web. http://www.cordula.ws/ >