Date: Sat, 12 Feb 2005 21:01:45 -0500 (EST) From: Paul Sandys <myj@nyct.net> To: Theodore Knab <tjk@annapolislinux.org> Cc: freebsd-isp@freebsd.org Subject: Re: PAM and login.conf + SSH and IMAP Message-ID: <20050212205743.M41646@bsd3.nyct.net> In-Reply-To: <20050211151730.GA6896@annapolislinux.org> References: <20050208000000.D64811@bsd3.nyct.net> <20050211151730.GA6896@annapolislinux.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 11 Feb 2005, Theodore Knab wrote: > Date: Fri, 11 Feb 2005 10:17:30 -0500 > From: Theodore Knab <tjk@annapolislinux.org> > To: Paul Sandys <myj@nyct.net>, freebsd-isp@freebsd.org > Subject: Re: PAM and login.conf + SSH and IMAP > > I have never used the the /etc/login.access to limit access. > > However, I have used other things, which are listed here. > > If you are trying to limit regular users from connecting to your system via > their IMAP password that is in /etc/passwd, you could do the following: > > 1. Add an access list to the /etc/pam.d/ssh file > auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail There's no pam_listfile.so module in FreeBSD 5.3 - this would be a good solution though. > > 2. Don't give the users on IMAP a shell account. > /bin/false or /dev/null as their login shell I need real shell in there. It's funny how PAM should give you all the flexibility you need and I'm stuck on such a staightforward scenario. P. > > 3. Firewall the machine so only a few IP's can use ssh. That woudn't work either in this situation. > > > On 08/02/05 00:05 -0500, Paul Sandys wrote: > > > > I need to block ssh access to wheel only and at the same time allow IMAP access > > to any user. > > > > When I put following in /etc/login.access, the ssh behaves the way I want: > > +:wheel:ALL > > -:ALL:ALL > > > > However, it also denies imap access. I'm trying different options in > > /etc/pam.d/imap without any success. Is there a PAM module that would > > authenticate using system password file and disregarded /etc/login.access ? > > > > Any suggestions ? > > > > Thanks, > > Paul > > > > > > Paul Sandys > > network operations manager > > http://www.nyct.net/ > > 212.293.2620 > > _______________________________________________ > > freebsd-isp@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > > -- > ------------------------------------------ > Ted Knab > Chester, Maryland 21619 USA > ------------------------------------------ > The perception of knowledge is an egotistical farce in which > humans extrapolate from simplifications. > > Proud Graduate of the 'Wack a Mole' Academy of Psydo Sciences. > > Legal Disclaimer: > ------------------------------------- > This e-mail is privileged, confidential and subject to the > GNU public licence. Any unauthorized use or disclosure of its contents is > strictly prohibited and will result in a intensive investigation by the > unofficial enforcement agencies whom are watching you read this email. > The views expressed in this communication may not necessarily be > the views held by the Scottish Borders Council, the Japanese Education Ministry, > the Annapolis Linux Users group, or the author whom composed it. > Paul Sandys network operations manager http://www.nyct.net/ 212.293.2620
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050212205743.M41646>