From owner-freebsd-security Thu Aug 12 11:10:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id 7C4D814CF3 for ; Thu, 12 Aug 1999 11:10:30 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (209-122-238-170.s170.tnt2.lnh.md.dialup.rcn.com [209.122.238.170]) by tasam.com (8.9.3/8.9.1) with SMTP id OAA09033; Thu, 12 Aug 1999 14:10:34 -0400 (EDT) Message-ID: <009101bee4ed$f01395b0$0286860a@tasam.com> From: "Joe Gleason" To: "Bigby Findrake" Cc: References: Subject: Re: making sshd2 check user expiration dates Date: Thu, 12 Aug 1999 14:08:43 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Thu, 12 Aug 1999, Joe Gleason wrote: > > > I'm not sure if security is the right list, but this has to do with allowing > > or denying access to a system based on expiration date, which I consider > > relevant to security. > > > > Does anyone know how to make sshd2 check user expiration dates? > > > > I did a quick test, and telnet, pop3, ftpd and sshd1 all do NOT allow a user > > with an expired account to login. > > sshd2 however does. > > > > By expired I mean field 7 in master.passwd file having a number that is > > between 0 and the current time in seconds exclusive. > > > > I am running FreeBSD 3.2-stable (a few days old) > > > > I installed ssh via installing /usr/ports/security/ssh and then > > /usr/ports/security/ssh2 (that way I have all the ssh1 stuff for > > compatibility). I haven't touched the config's much, if at all. I looked > > through the man page and config files real quick and didn't see anything > > about user expiration dates. It is 3am, so I could have easily missed > > something. Anyone with any ideas of experience with this, any help would be > > appreicated. I would really prefer not to have to hack something odd > > togather to support expiration dates. > > This is a shot in the dark but I would suggest playing with the "UseLogin" > parameter in the /etc/sshd_config file. > My sshd_config is in /usr/local/etc, but that is unimportant. I'm pretty sure sshd_config is for sshd1 only. sshd2 has it's own config: /usr/local/etc/ssh2/sshd2_config In my tests, sshd1 works fine, even with the UseLogin option off. sshd2_config doesn't mention anything like that. If I remember correct from expermination I did back in the 2.2.x days, UseLogin for sshd1 was required only to get login class restrictions to work. I could be mistaken about that. Joe Gleason Tasam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message