sshd not respecting login.access
Cordula's Web
cpghost at cordula.ws
Thu Nov 27 16:43:55 PST 2003
> I've been using login.access for a long while, it hasnt occured to
> me until now that sshd isnt taking that file into account. No users
> (except me) can log in to my system with telnet and they shouldnt
> with sshd.
login.access is only used by login(1), not by sshd.
This is also the reason why time-limited logins and other nice
configurable features are not possible to enforce with ssh. They
are login(1)-specific.
> Is there a workaround for this? Wouldnt it be considered a serious
> bug that sshd doesnt parse this file?
You could enable UseLogin in /etc/ssh/sshd_config
but this is NOT recommended! See sshd_config(5).
If sshd were fully PAMified, you could try to plug in some pam
modules to enforce access policy. You'll have to test your setup
thoroughly. I've tried this with a custom time class PAM module
only to discover that sshd doesn't really interact all that well
with such modules. Beware, and test.
> Best Regards
> Jonas Trollvik
--
Cordula's Web. http://www.cordula.ws/
More information about the freebsd-questions
mailing list