sshd not respecting login.access

Cordula's Web cpghost at cordula.ws
Thu Nov 27 16:43:55 PST 2003


> I've been using login.access for a long while, it hasnt occured to
> me until now that sshd isnt taking that file into account. No users
> (except me) can log in to my system with telnet and they shouldnt
> with sshd.

login.access is only used by login(1), not by sshd.

This is also the reason why time-limited logins and other nice
configurable features are not possible to enforce with ssh. They
are login(1)-specific.

> Is there a workaround for this? Wouldnt it be considered a serious
> bug that sshd doesnt parse this file?

You could enable UseLogin in /etc/ssh/sshd_config
but this is NOT recommended! See sshd_config(5).

If sshd were fully PAMified, you could try to plug in some pam
modules to enforce access policy. You'll have to test your setup
thoroughly. I've tried this with a custom time class PAM module
only to discover that sshd doesn't really interact all that well
with such modules. Beware, and test.

> Best Regards
> Jonas Trollvik

-- 
Cordula's Web. http://www.cordula.ws/



More information about the freebsd-questions mailing list