I'm looking for a way to restrict specified users to a specific interface or network. Out ftp server is in a DMZ and I'd like some accounts to be able to ftp in only from the internal network. Either interface name or a list of subnets would be acceptable. >From the research I've done, pam_listfile gets close. It restricts globally using the ftpusers file. If I could combine this with an interface, then I could have ftpusers-internal and ftpusers-external restrictions. 2 questions: At this point in the authentication process, does pam_listfile know what interface or subnet the user came in on? Obviously I'm not much of a PAM expert. Secondly, if this information is known, how much effort would it be to add the option to pam_listfile? Interface name would be preferred since eth0 is much easier to deal with than 10 subnets... Am I barking up the wrong tree? Is there another mechanism that I'm not aware of yet that is better suited to this level of checking? This server is currently running 6.2 (pam 0.72) Thanks, .../Ed -- Ed Wilts, Mounds View, MN, USA mailto:ewilts@ewilts.org Member #1, Red Hat Community Ambassador Program _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list