Date: Thu, 16 Jul 1998 14:57:16 +0200 From: Rico Pajarola <pajarola@cybertime.ch> To: "FreeBSD stable" <freebsd-stable@FreeBSD.ORG> Subject: Re: Finger and getpwent Message-ID: <3.0.32.19980716145425.00726d20@www.dlc.cybertime.ch>
next in thread | raw e-mail | index | archive | help
I think something like this should go into /etc/login.conf. I already use the nologin file (which can be set per login-class) to make ftp-only accounts, and the ftpusers file to make email-only accounts. I like this solution because it looks 'clean' to me, but it's by far not complete. And the nicest login.conf doesn't help you if the programs you use don't look at it (and afaik only login itself looks at it yet, guess why it's called login.conf). Rico At 16:24 16.07.98 +1000, John Saunders wrote: >>I've always been under the impression that shell and FTP checking >>/etc/shells and mail services *not* doing so was a deliberate >>design decision, not an oversight. > >Until something better is implemented there are good reasons >for both sides. I have modified pppd, ftpd and qpopper to check >for a valid shell. However if a valid shell is not found I made >pppd check for "PPP", ftpd check for "FTP", and qpopper check >for "POP" in the shell field using strstr(). So I can configure >an account with a shell of "POP,FTP" to enable both those services >but not shell logins. > >While this suits my system it's not entirely flexible, I can't >provide shell access but not FTP access for example. What is >needed is an addition system where the user has a list of service >type attributes associated with them. Then each service would >check the attributes to see if the user is allowed to access the >service. e.g. a config file like... > >fred:shell ppp telnet >joe:ppp pop >mary:telnet pop ftp >*:shell ppp > >Then a library call like checkaccess(char *user, char *service) > >I believe the early shadow password suite used on Linux started >to have something similar but it didn't look completed when I >last looked at it. I think PAM has superceeded shadow now anyway. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19980716145425.00726d20>