[clug] Starting k/ubuntu - Debian

Michael Cohen michael.cohen at netspeed.com.au
Tue May 15 00:18:29 GMT 2007

On Tue, May 15, 2007 at 09:49:39AM +1000, Andrew Janke wrote:
> >Its probably also worth mentioning at this point /etc/security/access.conf
> >which can specifiy which account is allowed to log in from where (or not at
> >all). This way you can have no users allowed to log in at all except one 
> >or two
> >users. Also important is to disable password logins and only use keys - 
> >which
> >will stop all those password grinding kiddies.
> Learn something everyday.. I have always just used /etc/ssh/sshd.conf for 
> this.
> Do these two interact in someway?  Or are just additive?

The access.conf is used by all login programs through pam, so it covers gdm,
mingetty etc. I usually do something like:


This says that mic (my username) is allowed to log in from everywhere, but
everyone else can only log in from the 10. network. This is because I just know
the rest of the family have crappy passwords but there is nothing i can do
about it.

I think this is in addition to all the rules imposed by hosts.allow/hosts.deny,
iptables etc. I actually was not aware you can specify which users can login
from where using sshd.conf (if so can you provide an example?). I.e. each of
those subsystems have a chance to stop the login in turn.


More information about the linux mailing list