From owner-freebsd-security  Tue Jan 18  8:48:30 2000
Delivered-To: freebsd-security@freebsd.org
Received: from eterna.binary.net (eterna.binary.net [12.13.84.6])
	by hub.freebsd.org (Postfix) with ESMTP id 875B414BEF
	for <freebsd-security@FreeBSD.ORG>; Tue, 18 Jan 2000 08:48:27 -0800 (PST)
	(envelope-from nathan@rtfm.net)
Received: from matrix.binary.net (root@matrix.binary.net [12.13.120.2])
	by eterna.binary.net (8.9.1a/8.9.1) with ESMTP id KAA61792;
	Tue, 18 Jan 2000 10:48:27 -0600 (CST)
Received: (from nathan@localhost)
	by matrix.binary.net (8.9.3/8.9.1) id KAA45933;
	Tue, 18 Jan 2000 10:48:27 -0600 (CST)
Date: Tue, 18 Jan 2000 11:48:27 -0500
From: Nathan Dorfman <nathan@rtfm.net>
To: "Matthew D. Fuller" <fullermd@futuresouth.com>
Cc: cjclark@home.com, Nicholas Brawn <ncb@zip.com.au>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Disallow remote login by regular user.
Message-ID: <20000118114827.A45759@rtfm.net>
References: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au> <200001140145.UAA15101@cc942873-a.ewndsr1.nj.home.com> <20000114133222.A18079@rtfm.net> <20000117195642.B23821@futuresouth.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95i
In-Reply-To: <20000117195642.B23821@futuresouth.com>; from Matthew D. Fuller on Mon, Jan 17, 2000 at 07:56:42PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jan 17, 2000 at 07:56:42PM -0600, Matthew D. Fuller wrote:
> [ Sorry, little bit late... ]
> 
> On Fri, Jan 14, 2000 at 01:32:22PM -0500, a little birdie told me
> that Nathan Dorfman remarked
> > On Thu, Jan 13, 2000 at 08:45:20PM -0500, Crist J. Clark wrote:
> > > 
> > > For anything that is going to call login(1), you can use
> > > /etc/login.access(5). That pretty much eliminates stuff like telnet,
> > > rlogin, and console logins. For SSH, look at the 'AllowUsers' and
> > > 'DenyUsers' keywords for the sshd_conf file on the sshd(8)
> > > manpage. And of course, if ftp(1) is an issue, there is /etc/ftpusers
> > > as described in ftpd(8).
> > 
> > You can make sshd use login(1). Set UseLogin to yes in sshd_config. This
> > is (at least sounds like) a good idea just so that login.access(5) and
> > login.conf(5) have their effect.
> 
> Except (at least login.access) they don't.
> 
> Try it.  Never worked for me.

Hmm. You're right, login.access doesn't seem to work, I wonder why...
resource limits and environment settings from login.conf work fine
though.

> -- 
> Matthew Fuller     (MF4839)     |    fullermd@over-yonder.net
> Unix Systems Administrator      |    fullermd@futuresouth.com
> Specializing in FreeBSD         |    http://www.over-yonder.net/
> 
> "The only reason I'm burning my candle at both ends, is because I
>       haven't figured out how to light the middle yet"

-- 
Nathan Dorfman <nathan@rtfm.net>         The statements and opinions in my
Unix Admin @ Frontline Communications    public posts are mine, not FCC's.
"The light at the end of the tunnel is the headlight of an approaching
train." --/usr/games/fortune


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message