From owner-freebsd-questions  Wed Oct  6 13:44: 5 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245])
	by hub.freebsd.org (Postfix) with ESMTP id 858E6151E0
	for <questions@FreeBSD.ORG>; Wed,  6 Oct 1999 13:43:58 -0700 (PDT)
	(envelope-from joseph.scott@owp.csus.edu)
Received: from owp.csus.edu (mothra.ecs.csus.edu [130.86.76.220])
	by pebkac.owp.csus.edu (8.9.3/8.9.3) with ESMTP id NAA78694;
	Wed, 6 Oct 1999 13:43:53 -0700 (PDT)
Message-ID: <37FBB487.6AC8B32F@owp.csus.edu>
Date: Wed, 06 Oct 1999 20:43:51 +0000
From: Joseph Scott <joseph.scott@owp.csus.edu>
Organization: Water Programs - CSU Sacramento
X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Tancsa <mike@sentex.net>
Cc: questions@FreeBSD.ORG
Subject: Re: login.access and sshd
References: <3.0.5.32.19991006131601.019cca20@staff.sentex.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Mike Tancsa wrote:
> 
> Is there any way to get sshd honour login.access ? Or at least control who
> is and is not allowed to login on a per user or group basis ?

From man sshd, under the CONFIGURATION FILE section :

       AllowGroups
              This keyword can be followed by any number of group
              name patterns, separated by spaces.  If  specified,
              login  is  allowed only if users primary group name
              matches one of the patterns. '*'  and  '?'  can  be
              used  as  wildcards  in  the  patterns. By default,
              logins as all users are allowed.

              Note that the all other login authentication  steps
              must  still  be sucessfully completed.  AllowGroups
              and DenyGroups are additional restrictions.

....

       AllowUsers
              This  keyword can be followed by any number of user
              name patterns or user@host patterns,  separated  by
              spaces. Host name may be either the dns name or the
              ip address. If specified, login is allowed only  as
              users  whose  name matches one of the patterns. '*'
              and '?' can be used as wildcards in  the  patterns.
              By default, logins as all users are allowed.

              Note  that the all other login authentication steps
              must still be  sucessfully  completed.   AllowUsers
              and DenyUsers are additional restrictions.


This should do what you are asking, however I could see having sshd
respect login.access make sense, that way you only have configure access
control in place.

-- 

Joseph Scott
joseph.scott@owp.csus.edu
Office Of Water Programs - CSU Sacramento


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message