From owner-freebsd-questions@FreeBSD.ORG  Sun Aug  7 23:44:00 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 986C616A468
	for <questions@freebsd.org>; Sun,  7 Aug 2005 23:43:57 +0000 (GMT)
	(envelope-from skeezix@skeleton.org)
Received: from mail1.dm.egate.net (mail1.dm.egate.net [216.235.1.135])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3E36543E17
	for <questions@freebsd.org>; Sun,  7 Aug 2005 23:19:47 +0000 (GMT)
	(envelope-from skeezix@skeleton.org)
Received: from fw.skeleton.org (h216-235-8-78.host.egate.net [216.235.8.78])
	by mail1.dm.egate.net (8.12.11/8.12.1) with ESMTP id j77NJi6c080269;
	Sun, 7 Aug 2005 19:19:44 -0400 (EDT)
Received: from fw.skeleton.org (fw.skeleton.org [127.0.0.1])
	by fw.skeleton.org (8.13.3/8.13.3) with ESMTP id j77NJo4A023560;
	Sun, 7 Aug 2005 19:19:50 -0400 (EDT)
	(envelope-from skeezix@skeleton.org)
Received: from localhost (skeezix@localhost)
	by fw.skeleton.org (8.13.3/8.13.3/Submit) with ESMTP id j77NJoTR023557; 
	Sun, 7 Aug 2005 19:19:50 -0400 (EDT)
	(envelope-from skeezix@skeleton.org)
X-Authentication-Warning: fw.skeleton.org: skeezix owned process doing -bs
Date: Sun, 7 Aug 2005 19:19:50 -0400 (EDT)
From: Jeff Mitchell <skeezix@skeleton.org>
To: Benjamin Lutz <benlutz@datacomm.ch>
In-Reply-To: <42F68C05.1000404@datacomm.ch>
Message-ID: <20050807191859.W2146@fw.skeleton.org>
References: <20050806221350.C2146@fw.skeleton.org>
	<42F68C05.1000404@datacomm.ch>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: questions@freebsd.org
Subject: Re: telnet/sshd limited by user?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2005 23:44:01 -0000

On Mon, 8 Aug 2005, Benjamin Lutz wrote:

# >     Is it possible to set things so that 'telnet' is allowed only to one
# > specific user, while everyone else needs sshd? ie: Obviously, nologin
# > can be used as a shell to not permit any logins (but makes 'su' break
# > too), but I'd like to allow telnet for one specific user only and keep
# > everyone else on sshd.
# 
# Yes, by playing with PAM. You can change telnetd's PAM configuration
# (/etc/pam.d/telnetd) to include a group check:
# 
# auth	requisite	pam_group.so	no_warn group=telnetusers
# 
# Then create a group "telnetusers", and make your telnet user a member of it.
# 
# Haven't tested it myself, hope it works.

	Ah, indeed; I didn't read much up on PAM and didn't realize it 
could go through a series of phases before allowing on, so you can do a 
group-check and then additional checks as well. Neat stuff.

	Thanks for the tip,

		jeff

--
"Have you played Atari today?"