[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssh-server's default config is dangerous

>> Reminds me of a need I couldn't conveniently satisfy: allow known weak
>> passwords on some specific user accounts but make sure you can not use
>> them remotely (in my case I only wanted to allow GDM logins for them).
>> E.g. make it so that sshd only lets you login if your user is in the
>> "ssh-able" group or some such, just like we do for sudo.
> I think that is what AllowGroups and DenyGroups (and their twins
> - -Users) in the sshd_config are for.

Indeed, I just saw those replies.  Didn't know about AllowGroups.

This said, it doesn't quite address my need: rather than say "only allow
SSH access to userfoo and userbar", I'd like to do "disallow non-GDM
access for userfoo and userbar".

The main issue is the difference between SSH and non-GDM: how do I make
sure non-GDM/non-SSH accesses are also disallowed?

It's really something that should be addressed in PAM rather than in
SSH's config.


        Stefan
Reply to: