Date: Wed, 06 Oct 1999 20:43:51 +0000 From: Joseph Scott <joseph.scott@owp.csus.edu> To: Mike Tancsa <mike@sentex.net> Cc: questions@FreeBSD.ORG Subject: Re: login.access and sshd Message-ID: <37FBB487.6AC8B32F@owp.csus.edu> References: <3.0.5.32.19991006131601.019cca20@staff.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote:
>
> Is there any way to get sshd honour login.access ? Or at least control who
> is and is not allowed to login on a per user or group basis ?
From man sshd, under the CONFIGURATION FILE section :
AllowGroups
This keyword can be followed by any number of group
name patterns, separated by spaces. If specified,
login is allowed only if users primary group name
matches one of the patterns. '*' and '?' can be
used as wildcards in the patterns. By default,
logins as all users are allowed.
Note that the all other login authentication steps
must still be sucessfully completed. AllowGroups
and DenyGroups are additional restrictions.
....
AllowUsers
This keyword can be followed by any number of user
name patterns or user@host patterns, separated by
spaces. Host name may be either the dns name or the
ip address. If specified, login is allowed only as
users whose name matches one of the patterns. '*'
and '?' can be used as wildcards in the patterns.
By default, logins as all users are allowed.
Note that the all other login authentication steps
must still be sucessfully completed. AllowUsers
and DenyUsers are additional restrictions.
This should do what you are asking, however I could see having sshd
respect login.access make sense, that way you only have configure access
control in place.
--
Joseph Scott
joseph.scott@owp.csus.edu
Office Of Water Programs - CSU Sacramento
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37FBB487.6AC8B32F>