openssh question

Darren Tucker dtucker at zip.com.au
Tue Nov 9 11:49:20 EST 2010


On 9/11/10 1:45 AM, ynon repoport wrote:
> The denyUsers / AllowUsers option in openSSH does not satisfy our
> needs.
>
> We want to supply our own software to allow/deny sessions based on
> time of day.
>
> I do not know if PAM can do this, but in any case we can not use
> PAM.

A PAM module could do this (eg LinuxPAM's pam_time).

> ? Did someone do such a change in openSSH code

You could potentially add code to Match to invoke an external program, 
but it would have to be done very carefully to avoid introducing a 
security problem.

Can you describe the system some more?  There might be a simple solution 
(eg you could swap sshd_config files and SIGHUP sshd from a cron job).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list