From owner-freebsd-security@FreeBSD.ORG Mon Jun 21 06:54:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72E1316A4CE for ; Mon, 21 Jun 2004 06:54:49 +0000 (GMT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 2047443D1F for ; Mon, 21 Jun 2004 06:54:48 +0000 (GMT) (envelope-from roam@ringlet.net) Received: (qmail 8542 invoked from network); 21 Jun 2004 06:52:16 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 21 Jun 2004 06:52:15 -0000 Received: (qmail 8033 invoked by uid 1000); 21 Jun 2004 06:54:32 -0000 Date: Mon, 21 Jun 2004 09:54:31 +0300 From: Peter Pentchev To: Charles Sprickman Message-ID: <20040621065431.GA970@straylight.m.ringlet.net> Mail-Followup-To: Charles Sprickman , freebsd-security@freebsd.org References: <20040618161910.C70190@shell.inch.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: <20040618161910.C70190@shell.inch.com> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: 4.x, PAM, password facility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2004 06:54:49 -0000 --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 18, 2004 at 04:26:19PM -0400, Charles Sprickman wrote: [snip] > And since I know there's someone lurking here that knows this, is there > any way to have OpenSSH deny a login when a user has key-based auth setup > on their account? I never found a good way to take care of that; changing > the shell, etc. is a bit awkward. The sshd_config(5) manual page for OpenSSH in both -STABLE and -CURRENT mentions Allow/DenyUsers/Groups. I'm not sure how long this has been around, though - I seem to remember a time when only ssh.com's sshd supported this. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I had finished this sentence, --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA1oYn7Ri2jRYZRVMRAje2AJ4wd5wLCtHvydb0dep9R+wNEC91xgCgjNZW xeS9uf3BIby0zk/Vkdm3GU4= =4WmR -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm--