From owner-freebsd-current@FreeBSD.ORG  Sun Jul 20 11:32:05 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 05C2E37B401
	for <freebsd-current@freebsd.org>;
	Sun, 20 Jul 2003 11:32:05 -0700 (PDT)
Received: from dsl-mail.kamp.net (mail.kamp-dsl.de [195.62.99.42])
	by mx1.FreeBSD.org (Postfix) with SMTP id 8F1C843F75
	for <freebsd-current@freebsd.org>;
	Sun, 20 Jul 2003 11:32:01 -0700 (PDT)
	(envelope-from me@farid-hajji.de)
Received: (qmail 4930 invoked by uid 505); 20 Jul 2003 18:32:05 -0000
Received: from me@farid-hajji.de by dsl-mail by uid 502 with
	qmail-scanner-1.14  (spamassassin: 2.43.  Clear:. 
	Processed in 0.225531 secs); 20 Jul 2003 18:32:05 -0000
Received: from unknown (HELO reverse-213-146-116-200.dialin.kamp-dsl.de)
	(213.146.116.200)
	by dsl-mail.kamp.net with SMTP; 20 Jul 2003 18:32:05 -0000
From: Farid Hajji <me@farid-hajji.de>
To: freebsd-current@freebsd.org
Date: Sun, 20 Jul 2003 20:32:01 +0200
User-Agent: KMail/1.5.2
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200307202032.02281.me@farid-hajji.de>
Subject: login(1) doesn't enforce times.allow/times.deny over ssh(1)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: me@farid-hajji.de
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2003 18:32:05 -0000

I'm trying to set up a login class on 5.1-R which limits users
from logging in at night or on week ends. Unfortunately,
the time limits are not enforced by login(1), when the host
is accessed via ssh (only from the console are the time limits
enforced):

 In /etc/login.conf, I've set this:

time_limited:\
        :welcome=/root/motd-timelimited:\
        :times.allow=MoTuWeThFr0800-1900:\
        :times.deny=So0000-2359:\
        :tc=default:

and ran 'cap_mkdb /etc/login.conf' as instructed. Changed
login class of some test users with chsh(1). The change
in the 'welcome' capability works all right, but not the time
limitations (when using ssh).

I'm using the default /etc/pam.d/login, as of 5.1-R,
where pam_ssh.so is always commented out.

When using ssh, I'm not trying public/private keys,
just plain unix passwords. Doesn't ssh access login(1)
in this case?

Do you have an idea what's wrong here, or, better yet,
a solution?

Many thanks.

-- 
Farid Hajji. http://www.farid-hajji.net/address.html