>> Reminds me of a need I couldn't conveniently satisfy: allow known weak
>> passwords on some specific user accounts but make sure you can not use
>> them remotely (in my case I only wanted to allow GDM logins for them).
>> E.g. make it so that sshd only lets you login if your user is in the
>> "ssh-able" group or some such, just like we do for sudo.
> I think that is what AllowGroups and DenyGroups (and their twins
> - -Users) in the sshd_config are for.
Indeed, I just saw those replies. Didn't know about AllowGroups.
This said, it doesn't quite address my need: rather than say "only allow
SSH access to userfoo and userbar", I'd like to do "disallow non-GDM
access for userfoo and userbar".
The main issue is the difference between SSH and non-GDM: how do I make
sure non-GDM/non-SSH accesses are also disallowed?
It's really something that should be addressed in PAM rather than in
SSH's config.
Stefan
