From owner-freebsd-security@FreeBSD.ORG  Fri Oct  8 16:18:10 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6B81D16A4CE
	for <freebsd-security@freebsd.org>;
	Fri,  8 Oct 2004 16:18:10 +0000 (GMT)
Received: from corwin.easynet.fr (smarthost143.mail.easynet.fr
	[212.180.1.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C452B43D3F
	for <freebsd-security@freebsd.org>;
	Fri,  8 Oct 2004 16:18:09 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from [212.180.127.72] (helo=tatooine.tataz.chchile.org)
	by corwin.easynet.fr with esmtp (Exim 4.34)
	id 1CFxRX-0000jp-9I; Fri, 08 Oct 2004 18:18:07 +0200
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id 42952408E; Fri,  8 Oct 2004 18:18:12 +0200 (CEST)
Date: Fri, 8 Oct 2004 18:18:12 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Jim Hatfield <subscriber@insignia.com>
Message-ID: <20041008161812.GC806@obiwan.tataz.chchile.org>
References:
	<3203DF3DDE57D411AFF4009027B8C36760563C@exchange-uk.isltd.insignia.com>
	<kp8dm054h3kcnm4chrm2gupsmospi6cnai@4ax.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <kp8dm054h3kcnm4chrm2gupsmospi6cnai@4ax.com>
User-Agent: Mutt/1.5.6i
X-Broken-Reverse-DNS: no host name found for IP address 212.180.127.72
cc: freebsd-security@freebsd.org
Subject: Re: Question restricting ssh access for some users only
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2004 16:18:10 -0000

> >have you tried using /etc/login.access?
> 
> Hmm, looks like sshd does not consult this file!

login.conf(5) is indeed the configuration file for login(1) which is
not used sshd(8) with the default configuration.  You have to use the
`UseLogin' option described in sshd_config(5) :

     UseLogin
             Specifies whether login(1) is used for interactive login ses-
             sions.  The default is ``no''.  Note that login(1) is never used
             for remote command execution.  Note also, that if this is
             enabled, X11Forwarding will be disabled because login(1) does not
             know how to handle xauth(1) cookies.  If UsePrivilegeSeparation
             is specified, it will be disabled after authentication.


Apart from that, `AllowUsers' and `AllowGroups' have been mentioned
multiple times, but it might be easier to use `DenyUsers' and
`DenyGroups' options for the described situation.

Regards,
-- 
Jeremie Le Hen
jeremie@le-hen.org