On Mon, Jul 27, 2015 at 08:07:32PM -0600, Chris Murphy wrote: > >> Not the user, the GUI asks a service to do the editing COW style - > >> write out a .new and once that succeeds, then rename current to old > >> and new to current. > > Yes, I assumed that. What if there is an existing configuration? > It would always use /etc/ssh/sshd_config whether it's the default > installed, or a user modified one. The GUI Remote Login toggle would > toggle both sshd.service stop/start/enable/disable states, and > AllowUsers list. So something has to be able to parse this file. I guess the main complication is making sure that AllowUsers occurs before any Match blocks. And avoiding any AllowGroups/DenyGroups complication. Oh! An alternative which avoids any file parsing or writing: add an "ssh-access" or similar group, configure default sshd_config with "AllowGroups ssh-access". (Could be a Workstation-only sshd_config.) On another note, I see that _all_ of the other sharing options are actually _per network_. Maybe the "remote login" option should be the same? > Maybe PAM can be leveraged for this, since sshd_config defers to PAM > already for authentication. So sshd could just ask PAM rather than > modifying sshd_config directly. Hmmm, maybe. -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
