Re: PAM and login.conf + SSH and IMAP

• Previous message: John Brooks: "RE: Network mac address"
• In reply to: Theodore Knab: "Re: PAM and login.conf + SSH and IMAP"
• Next in thread: Suporte Matik: "Re: PAM and login.conf + SSH and IMAP"
• Reply: Suporte Matik: "Re: PAM and login.conf + SSH and IMAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 12 Feb 2005 21:01:45 -0500 (EST)
To: Theodore Knab <tjk@annapolislinux.org>

On Fri, 11 Feb 2005, Theodore Knab wrote:

> Date: Fri, 11 Feb 2005 10:17:30 -0500
> From: Theodore Knab <tjk@annapolislinux.org>
> To: Paul Sandys <myj@nyct.net>, freebsd-isp@freebsd.org
> Subject: Re: PAM and login.conf + SSH and IMAP
>
> I have never used the the /etc/login.access to limit access.
>
> However, I have used other things, which are listed here.
>
> If you are trying to limit regular users from connecting to your system via
> their IMAP password that is in /etc/passwd, you could do the following:
>
> 1. Add an access list to the /etc/pam.d/ssh file
> auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail

There's no pam_listfile.so module in FreeBSD 5.3 - this would be a good solution
though.

>
> 2. Don't give the users on IMAP a shell account.
> /bin/false or /dev/null as their login shell

I need real shell in there.

It's funny how PAM should give you all the flexibility you need and I'm stuck
on such a staightforward scenario.

P.

>
> 3. Firewall the machine so only a few IP's can use ssh.

That woudn't work either in this situation.

>
>
> On 08/02/05 00:05 -0500, Paul Sandys wrote:
> >
> > I need to block ssh access to wheel only and at the same time allow IMAP access
> > to any user.
> >
> > When I put following in /etc/login.access, the ssh behaves the way I want:
> > +:wheel:ALL
> > -:ALL:ALL
> >
> > However, it also denies imap access. I'm trying different options in
> > /etc/pam.d/imap without any success. Is there a PAM module that would
> > authenticate using system password file and disregarded /etc/login.access ?
> >
> > Any suggestions ?
> >
> > Thanks,
> > Paul
> >
> >
> > Paul Sandys
> > network operations manager
> > http://www.nyct.net/
> > 212.293.2620
> > _______________________________________________
> > freebsd-isp@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
> --
> ------------------------------------------
> Ted Knab
> Chester, Maryland 21619 USA
> ------------------------------------------
> The perception of knowledge is an egotistical farce in which
> humans extrapolate from simplifications.
>
> Proud Graduate of the 'Wack a Mole' Academy of Psydo Sciences.
>
> Legal Disclaimer:
> -------------------------------------
> This e-mail is privileged, confidential and subject to the
> GNU public licence. Any unauthorized use or disclosure of its contents is
> strictly prohibited and will result in a intensive investigation by the
> unofficial enforcement agencies whom are watching you read this email.
> The views expressed in this communication may not necessarily be
> the views held by the Scottish Borders Council, the Japanese Education Ministry,
> the Annapolis Linux Users group, or the author whom composed it.
>

Paul Sandys
network operations manager
http://www.nyct.net/
212.293.2620
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

• Previous message: John Brooks: "RE: Network mac address"
• In reply to: Theodore Knab: "Re: PAM and login.conf + SSH and IMAP"
• Next in thread: Suporte Matik: "Re: PAM and login.conf + SSH and IMAP"
• Reply: Suporte Matik: "Re: PAM and login.conf + SSH and IMAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]