From owner-freebsd-isp@FreeBSD.ORG Sun Feb 13 02:02:15 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C96BF16A4CE for ; Sun, 13 Feb 2005 02:02:14 +0000 (GMT) Received: from bsd3.nyct.net (bsd3.nyct.net [216.139.128.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36CE543D39 for ; Sun, 13 Feb 2005 02:02:14 +0000 (GMT) (envelope-from myj@bsd3.nyct.net) Received: from bsd3.nyct.net (localhost [127.0.0.1]) by bsd3.nyct.net (8.12.11/8.12.11) with ESMTP id j1D21uk0042140; Sat, 12 Feb 2005 21:01:56 -0500 (EST) (envelope-from myj@bsd3.nyct.net) Received: (from myj@localhost) by bsd3.nyct.net (8.12.11/8.12.11/Submit) id j1D21jqV042136; Sat, 12 Feb 2005 21:01:45 -0500 (EST) (envelope-from myj) Date: Sat, 12 Feb 2005 21:01:45 -0500 (EST) From: Paul Sandys To: Theodore Knab In-Reply-To: <20050211151730.GA6896@annapolislinux.org> Message-ID: <20050212205743.M41646@bsd3.nyct.net> References: <20050208000000.D64811@bsd3.nyct.net> <20050211151730.GA6896@annapolislinux.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-isp@freebsd.org Subject: Re: PAM and login.conf + SSH and IMAP X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Feb 2005 02:02:15 -0000 On Fri, 11 Feb 2005, Theodore Knab wrote: > Date: Fri, 11 Feb 2005 10:17:30 -0500 > From: Theodore Knab > To: Paul Sandys , freebsd-isp@freebsd.org > Subject: Re: PAM and login.conf + SSH and IMAP > > I have never used the the /etc/login.access to limit access. > > However, I have used other things, which are listed here. > > If you are trying to limit regular users from connecting to your system via > their IMAP password that is in /etc/passwd, you could do the following: > > 1. Add an access list to the /etc/pam.d/ssh file > auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail There's no pam_listfile.so module in FreeBSD 5.3 - this would be a good solution though. > > 2. Don't give the users on IMAP a shell account. > /bin/false or /dev/null as their login shell I need real shell in there. It's funny how PAM should give you all the flexibility you need and I'm stuck on such a staightforward scenario. P. > > 3. Firewall the machine so only a few IP's can use ssh. That woudn't work either in this situation. > > > On 08/02/05 00:05 -0500, Paul Sandys wrote: > > > > I need to block ssh access to wheel only and at the same time allow IMAP access > > to any user. > > > > When I put following in /etc/login.access, the ssh behaves the way I want: > > +:wheel:ALL > > -:ALL:ALL > > > > However, it also denies imap access. I'm trying different options in > > /etc/pam.d/imap without any success. Is there a PAM module that would > > authenticate using system password file and disregarded /etc/login.access ? > > > > Any suggestions ? > > > > Thanks, > > Paul > > > > > > Paul Sandys > > network operations manager > > http://www.nyct.net/ > > 212.293.2620 > > _______________________________________________ > > freebsd-isp@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > > -- > ------------------------------------------ > Ted Knab > Chester, Maryland 21619 USA > ------------------------------------------ > The perception of knowledge is an egotistical farce in which > humans extrapolate from simplifications. > > Proud Graduate of the 'Wack a Mole' Academy of Psydo Sciences. > > Legal Disclaimer: > ------------------------------------- > This e-mail is privileged, confidential and subject to the > GNU public licence. Any unauthorized use or disclosure of its contents is > strictly prohibited and will result in a intensive investigation by the > unofficial enforcement agencies whom are watching you read this email. > The views expressed in this communication may not necessarily be > the views held by the Scottish Borders Council, the Japanese Education Ministry, > the Annapolis Linux Users group, or the author whom composed it. > Paul Sandys network operations manager http://www.nyct.net/ 212.293.2620