Date: Sat, 29 Nov 2003 20:40:39 +0100 From: "Jonas Trollvik" <Jonas.Trollvik@telia.com> To: <freebsd-questions@freebsd.org> Subject: Re: sshd not respecting login.access Message-ID: <012501c3b6b0$ab79ee60$0600a8c0@slix> References: <004a01c3b53f$365d5800$0600a8c0@slix> <200311280043.hAS0hDMA069865@fw.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, I'll go for the uselogin option since Im only going to use it for text-terminals. Would there be any security risks using this option? Best Regards Jonas Trollvik ----- Original Message ----- From: "Cordula's Web" <cpghost@cordula.ws> To: <Jonas.Trollvik@telia.com> Cc: <freebsd-questions@freebsd.org> Sent: Friday, November 28, 2003 1:43 AM Subject: Re: sshd not respecting login.access > > I've been using login.access for a long while, it hasnt occured to > > me until now that sshd isnt taking that file into account. No users > > (except me) can log in to my system with telnet and they shouldnt > > with sshd. > > login.access is only used by login(1), not by sshd. > > This is also the reason why time-limited logins and other nice > configurable features are not possible to enforce with ssh. They > are login(1)-specific. > > > Is there a workaround for this? Wouldnt it be considered a serious > > bug that sshd doesnt parse this file? > > You could enable UseLogin in /etc/ssh/sshd_config > but this is NOT recommended! See sshd_config(5). > > If sshd were fully PAMified, you could try to plug in some pam > modules to enforce access policy. You'll have to test your setup > thoroughly. I've tried this with a custom time class PAM module > only to discover that sshd doesn't really interact all that well > with such modules. Beware, and test. > > > Best Regards > > Jonas Trollvik > > -- > Cordula's Web. http://www.cordula.ws/ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012501c3b6b0$ab79ee60$0600a8c0>