sshd not respecting login.access
Jonas Trollvik
Jonas.Trollvik at telia.com
Sat Nov 29 11:40:42 PST 2003
Thanks, I'll go for the uselogin option since Im only going to use it for
text-terminals.
Would there be any security risks using this option?
Best Regards
Jonas Trollvik
----- Original Message -----
From: "Cordula's Web" <cpghost at cordula.ws>
To: <Jonas.Trollvik at telia.com>
Cc: <freebsd-questions at freebsd.org>
Sent: Friday, November 28, 2003 1:43 AM
Subject: Re: sshd not respecting login.access
> > I've been using login.access for a long while, it hasnt occured to
> > me until now that sshd isnt taking that file into account. No users
> > (except me) can log in to my system with telnet and they shouldnt
> > with sshd.
>
> login.access is only used by login(1), not by sshd.
>
> This is also the reason why time-limited logins and other nice
> configurable features are not possible to enforce with ssh. They
> are login(1)-specific.
>
> > Is there a workaround for this? Wouldnt it be considered a serious
> > bug that sshd doesnt parse this file?
>
> You could enable UseLogin in /etc/ssh/sshd_config
> but this is NOT recommended! See sshd_config(5).
>
> If sshd were fully PAMified, you could try to plug in some pam
> modules to enforce access policy. You'll have to test your setup
> thoroughly. I've tried this with a custom time class PAM module
> only to discover that sshd doesn't really interact all that well
> with such modules. Beware, and test.
>
> > Best Regards
> > Jonas Trollvik
>
> --
> Cordula's Web. http://www.cordula.ws/
>
More information about the freebsd-questions
mailing list