[clug] Starting k/ubuntu - Debian
Michael Cohen
michael.cohen at netspeed.com.au
Tue May 15 00:18:29 GMT 2007
On Tue, May 15, 2007 at 09:49:39AM +1000, Andrew Janke wrote:
> >Its probably also worth mentioning at this point /etc/security/access.conf
> >which can specifiy which account is allowed to log in from where (or not at
> >all). This way you can have no users allowed to log in at all except one
> >or two
> >users. Also important is to disable password logins and only use keys -
> >which
> >will stop all those password grinding kiddies.
>
> Learn something everyday.. I have always just used /etc/ssh/sshd.conf for
> this.
> Do these two interact in someway? Or are just additive?
The access.conf is used by all login programs through pam, so it covers gdm,
mingetty etc. I usually do something like:
+:mic:ALL
+:ALL:10.
This says that mic (my username) is allowed to log in from everywhere, but
everyone else can only log in from the 10. network. This is because I just know
the rest of the family have crappy passwords but there is nothing i can do
about it.
I think this is in addition to all the rules imposed by hosts.allow/hosts.deny,
iptables etc. I actually was not aware you can specify which users can login
from where using sshd.conf (if so can you provide an example?). I.e. each of
those subsystems have a chance to stop the login in turn.
Michael.
More information about the linux
mailing list