Date: Thu, 11 Dec 2008 09:11:26 +0100 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, Dan Nelson <dnelson@allantgroup.com> Subject: Re: How to block NIS logins via ssh? Message-ID: <200812110911.27184.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <alpine.BSF.2.00.0812110005480.2179@prime.gushi.org> References: <alpine.BSF.2.00.0812100440400.49382@prime.gushi.org> <20081210191617.GD82227@dan.emsphone.com> <alpine.BSF.2.00.0812110005480.2179@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 11 December 2008 08:10:09 Dan Mahoney, System Admin wrote:
> Given, there's several solutions to this:
>
> 1) The Kluge as above.
>
> 2) A pam module to check /etc/group (this is standard login behavior, and
> historically supported, and available on other platforms, adding a module,
> even to ports, is trivial.
>
> 3) A patch to openssh to do /etc/shells checking (I'll note that openSSH
> has the "UseLogin" option, which may also do this.
>
> 4) An option to pam_unix to check this. Differs from #2 in that it's a
> change to an existing module instead of one in ports.
5) Use AllowGroups/AllowUsers and/or their Deny equivalent in sshd_config.
6) Disable password based logins and use keys only.
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812110911.27184.fbsd.questions>