From owner-freebsd-security  Tue Mar  7 18:57:27 2000
Delivered-To: freebsd-security@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 758)
	id 3EDF037BE62; Tue,  7 Mar 2000 18:57:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 38CCC2E815B; Tue,  7 Mar 2000 18:57:25 -0800 (PST)
	(envelope-from kris@hub.freebsd.org)
Date: Tue, 7 Mar 2000 18:57:25 -0800 (PST)
From: Kris Kennaway <kris@hub.freebsd.org>
To: Randy Bush <randy@psg.com>
Cc: Alex Michlin <alex@delete.org>, freebsd-security@freebsd.org
Subject: Re: Host Secured Logon
In-Reply-To: <E12SQza-0000iQ-00@roam.psg.com>
Message-ID: <Pine.BSF.4.21.0003071857040.8920-100000@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 7 Mar 2000, Randy Bush wrote:

> > Is there an easy way to secure shell accounts with the hostname of the
> > user (ie, only someone from *.anyisp.com can logon to shell1, and
> > *.myisp.com can logon to any shell)?
> 
> i am not advocating doing this, as dns based security is weak, but use tcpd
> aka log_tcp and restrict the hosts in /usr/local/etc/hosts.allow.

Or you could use tcpd and restrict on source IP addresses, rather than
insecure DNS addresses.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message