From owner-freebsd-questions@FreeBSD.ORG  Thu Dec 11 08:11:29 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AFFC41065676
	for <freebsd-questions@freebsd.org>;
	Thu, 11 Dec 2008 08:11:29 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27])
	by mx1.freebsd.org (Postfix) with ESMTP id 82C538FC18
	for <freebsd-questions@freebsd.org>;
	Thu, 11 Dec 2008 08:11:29 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101])
	by mail.rachie.is-a-geek.net (Postfix) with ESMTP id EC8F5AFC1FF;
	Wed, 10 Dec 2008 23:11:28 -0900 (AKST)
From: Mel <fbsd.questions@rachie.is-a-geek.net>
To: freebsd-questions@freebsd.org
Date: Thu, 11 Dec 2008 09:11:26 +0100
User-Agent: KMail/1.9.7
References: <alpine.BSF.2.00.0812100440400.49382@prime.gushi.org>
	<20081210191617.GD82227@dan.emsphone.com>
	<alpine.BSF.2.00.0812110005480.2179@prime.gushi.org>
In-Reply-To: <alpine.BSF.2.00.0812110005480.2179@prime.gushi.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200812110911.27184.fbsd.questions@rachie.is-a-geek.net>
Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>,
	Dan Nelson <dnelson@allantgroup.com>
Subject: Re: How to block NIS logins via ssh?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Dec 2008 08:11:29 -0000

On Thursday 11 December 2008 08:10:09 Dan Mahoney, System Admin wrote:

> Given, there's several solutions to this:
>
> 1) The Kluge as above.
>
> 2) A pam module to check /etc/group (this is standard login behavior, and
> historically supported, and available on other platforms, adding a module,
> even to ports, is trivial.
>
> 3) A patch to openssh to do /etc/shells checking (I'll note that openSSH
> has the "UseLogin" option, which may also do this.
>
> 4) An option to pam_unix to check this.  Differs from #2 in that it's a
> change to an existing module instead of one in ports.

5) Use AllowGroups/AllowUsers and/or their Deny equivalent in sshd_config.

6) Disable password based logins and use keys only.

-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.