From owner-freebsd-security@FreeBSD.ORG  Sat Oct  9 13:49:28 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AF3DB16A4CE
	for <freebsd-security@freebsd.org>;
	Sat,  9 Oct 2004 13:49:28 +0000 (GMT)
Received: from corwin.easynet.fr (smarthost143.mail.easynet.fr
	[212.180.1.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C4BF43D1F
	for <freebsd-security@freebsd.org>;
	Sat,  9 Oct 2004 13:49:28 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from [212.180.127.72] (helo=tatooine.tataz.chchile.org)
	by corwin.easynet.fr with esmtp (Exim 4.34)
	id 1CGHbB-0002Zw-R0; Sat, 09 Oct 2004 15:49:26 +0200
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id EDDE1408E; Sat,  9 Oct 2004 15:49:25 +0200 (CEST)
Date: Sat, 9 Oct 2004 15:49:25 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: "Peter C. Lai" <sirmoo@cowbert.net>
Message-ID: <20041009134925.GD806@obiwan.tataz.chchile.org>
References:
	<3203DF3DDE57D411AFF4009027B8C36760563C@exchange-uk.isltd.insignia.com>
	<kp8dm054h3kcnm4chrm2gupsmospi6cnai@4ax.com>
	<20041008161812.GC806@obiwan.tataz.chchile.org>
	<20041008200739.GF243@cowbert.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041008200739.GF243@cowbert.net>
User-Agent: Mutt/1.5.6i
X-Broken-Reverse-DNS: no host name found for IP address 212.180.127.72
cc: freebsd-security@freebsd.org
cc: Jeremie Le Hen <jeremie@le-hen.org>
Subject: Re: Question restricting ssh access for some users only
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2004 13:49:28 -0000

> Is there a way to enforce sshd login restrictions without using login(1)?
> (i.e. I want to enforce a specific umask for all ssh logins).

AFAIK this should be achievable using the PAM session facility.  But I
found no `pam_umask' module.  BTW it should be pretty easy to implement
by derivating an existing session module such as `pam_chroot'.

-- 
Jeremie Le Hen
jeremie@le-hen.org