[techtalk] login restriction

[Susannah D. Rosenberg]

Aaron Malone wrote:
> 
> On Fri, Jul 07, 2000 at 05:36:41PM -0400, Susannah D. Rosenberg wrote:
> > maybe "dodgy" is a bad word. "non-extensible" and "klduge" might be
> > better. it probably comes down to the fact that, personally, i don't
> > like to fsck around with things like /etc/passwd if i don't have to.
> > call me paranoid; for some reason, it always makes me nervous. then
> > again, i like to do as little as root as humanly possible. okay, i guess
> > i am paranoid. :)
> 
> Well, you never have to directly touch /etc/passwd for this. man
> chsh.  And I must confess I'm not really sure what you mean by
> "non-extensible".  Extensibility is certainly important in protocols
> and filespecs, but I just don't see it as an issue here, where all I
> want to do is restrict people from logging in via telnet/ssh/ftp
> (well, maybe ftp).

it's the ftp that mainly i'm talking about here. think the
slowly-becoming-ubiqeutous 'www' group (ie, "yes, you can
log into ftp, but only to these directories, from these IP addresses,
nyeah nyeah"). :) (which is, btw, when i bother to set up ftp servers
correctly, my prefered way of doing business -- then again, i'm also
fond of madly disempower the 'users' group, then cheerfully adding
/lots/ and /lots/ and /lots/ of interesting 'supplementary' groups with
functionality based on... uh... function. modularity-fetishism at it's
finest.)

> <shrug>
> 
> Incidentally, does the /etc/security/access.conf thing work with ssh?
> I just tried disabling my access to our mail server, but it still let
> me in.  I didn't spend much time on the docs, maybe I did it wrong. :)

sorry, no clue. oooh... <peers into /etc/security/group.conf>. damn.
it's like a little howto on being a group-based access nazi. cool!

quote from the default suse group.conf:
'# **** Example: games are alowed between the hours of 6pm and 6am.'


wow. how mind-boggingly evil and restrictive. :)