From owner-freebsd-isp@FreeBSD.ORG Fri Feb 11 15:17:31 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB86D16A4CF for ; Fri, 11 Feb 2005 15:17:31 +0000 (GMT) Received: from annapolislinux.org (alinux.washcoll.edu [192.146.226.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 212AE43D39 for ; Fri, 11 Feb 2005 15:17:31 +0000 (GMT) (envelope-from tjk@annapolislinux.org) Received: by annapolislinux.org (Postfix, from userid 1000) id DF490C0174A; Fri, 11 Feb 2005 10:17:30 -0500 (EST) Date: Fri, 11 Feb 2005 10:17:30 -0500 From: Theodore Knab To: Paul Sandys , freebsd-isp@freebsd.org Message-ID: <20050211151730.GA6896@annapolislinux.org> References: <20050208000000.D64811@bsd3.nyct.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050208000000.D64811@bsd3.nyct.net> Organization: Annapolis LUG User-Agent: Mutt/1.5.6+20040907i Subject: Re: PAM and login.conf + SSH and IMAP X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 15:17:31 -0000 I have never used the the /etc/login.access to limit access. However, I have used other things, which are listed here. If you are trying to limit regular users from connecting to your system via their IMAP password that is in /etc/passwd, you could do the following: 1. Add an access list to the /etc/pam.d/ssh file auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail 2. Don't give the users on IMAP a shell account. /bin/false or /dev/null as their login shell 3. Firewall the machine so only a few IP's can use ssh. On 08/02/05 00:05 -0500, Paul Sandys wrote: > > I need to block ssh access to wheel only and at the same time allow IMAP access > to any user. > > When I put following in /etc/login.access, the ssh behaves the way I want: > +:wheel:ALL > -:ALL:ALL > > However, it also denies imap access. I'm trying different options in > /etc/pam.d/imap without any success. Is there a PAM module that would > authenticate using system password file and disregarded /etc/login.access ? > > Any suggestions ? > > Thanks, > Paul > > > Paul Sandys > network operations manager > http://www.nyct.net/ > 212.293.2620 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" -- ------------------------------------------ Ted Knab Chester, Maryland 21619 USA ------------------------------------------ The perception of knowledge is an egotistical farce in which humans extrapolate from simplifications. Proud Graduate of the 'Wack a Mole' Academy of Psydo Sciences. Legal Disclaimer: ------------------------------------- This e-mail is privileged, confidential and subject to the GNU public licence. Any unauthorized use or disclosure of its contents is strictly prohibited and will result in a intensive investigation by the unofficial enforcement agencies whom are watching you read this email. The views expressed in this communication may not necessarily be the views held by the Scottish Borders Council, the Japanese Education Ministry, the Annapolis Linux Users group, or the author whom composed it.