login.access and sshd
Mike Tancsa
Is there any way to get sshd honour login.access ? Or at least control who
is and is not allowed to login on a per user or group basis ?
---Mike
------------------------------------------------------------------------
Mike Tancsa, tel 01.519.651.3400
Network Administrator, mi...@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada
To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Joseph Scott
Mike Tancsa wrote:
>
> Is there any way to get sshd honour login.access ? Or at least control who
> is and is not allowed to login on a per user or group basis ?
From man sshd, under the CONFIGURATION FILE section :
AllowGroups
This keyword can be followed by any number of group
name patterns, separated by spaces. If specified,
login is allowed only if users primary group name
matches one of the patterns. '*' and '?' can be
used as wildcards in the patterns. By default,
logins as all users are allowed.
Note that the all other login authentication steps
must still be sucessfully completed. AllowGroups
and DenyGroups are additional restrictions.
....
AllowUsers
This keyword can be followed by any number of user
name patterns or user@host patterns, separated by
spaces. Host name may be either the dns name or the
ip address. If specified, login is allowed only as
users whose name matches one of the patterns. '*'
and '?' can be used as wildcards in the patterns.
By default, logins as all users are allowed.
Note that the all other login authentication steps
must still be sucessfully completed. AllowUsers
and DenyUsers are additional restrictions.
This should do what you are asking, however I could see having sshd
respect login.access make sense, that way you only have configure access
control in place.
--
Joseph Scott
joseph...@owp.csus.edu
Office Of Water Programs - CSU Sacramento
Mike Tancsa
>
>Mike Tancsa wrote:
>>
>> Is there any way to get sshd honour login.access ? Or at least control who
>> is and is not allowed to login on a per user or group basis ?
>
>>From man sshd, under the CONFIGURATION FILE section :
>
> AllowGroups
>respect login.access make sense, that way you only have configure access
>control in place.
>
Thanks. On the box I was working on, it had ssh2 installed as well as the
old one, but I neglected to look at the man pages for sshd1 to see those
options.
When logging in via ssh1, it does honour the AllowUsers and Denyusers setup
I have installed. But if the client is using V2, it does not seem to
honour that setting ? I have them in both config files.
---Mike
------------------------------------------------------------------------
Mike Tancsa, tel 01.519.651.3400
Network Administrator, mi...@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada
Joseph Scott
Mike Tancsa wrote:
>
> Thanks. On the box I was working on, it had ssh2 installed as well as the
> old one, but I neglected to look at the man pages for sshd1 to see those
> options.
> When logging in via ssh1, it does honour the AllowUsers and Denyusers setup
> I have installed. But if the client is using V2, it does not seem to
> honour that setting ? I have them in both config files.
>
> ---Mike
This may sound a little backwards, but it may solve you problem, only
use sshd1. I believe what will happen then is ssh1 clients will connect
fine and ssh2 clients will fall back to ssh1 protocols. I'm not for
sure about that, but I seem to remember that being the case.
--
Joseph Scott
joseph...@owp.csus.edu
Office Of Water Programs - CSU Sacramento