Date: Thu, 11 Dec 2008 09:11:26 +0100 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, Dan Nelson <dnelson@allantgroup.com> Subject: Re: How to block NIS logins via ssh? Message-ID: <200812110911.27184.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <alpine.BSF.2.00.0812110005480.2179@prime.gushi.org> References: <alpine.BSF.2.00.0812100440400.49382@prime.gushi.org> <20081210191617.GD82227@dan.emsphone.com> <alpine.BSF.2.00.0812110005480.2179@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 11 December 2008 08:10:09 Dan Mahoney, System Admin wrote: > Given, there's several solutions to this: > > 1) The Kluge as above. > > 2) A pam module to check /etc/group (this is standard login behavior, and > historically supported, and available on other platforms, adding a module, > even to ports, is trivial. > > 3) A patch to openssh to do /etc/shells checking (I'll note that openSSH > has the "UseLogin" option, which may also do this. > > 4) An option to pam_unix to check this. Differs from #2 in that it's a > change to an existing module instead of one in ports. 5) Use AllowGroups/AllowUsers and/or their Deny equivalent in sshd_config. 6) Disable password based logins and use keys only. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812110911.27184.fbsd.questions>