about this theme a trick can be done, that of course is not disable as
it sounds the user access.
PAM_file can be used for ssh connections. This feature reads from a file
(i.e. in the root directory) a list of allowed users.
If a user is in the list he can get in, else, he can't. It's clean
solution because you only have to define who are the allowed, that of
course would be less people than the not allowed ;)
Another thing is use a non-standard port for ssh connections, and use
pfSense synproxy features.
Again is necessary to say that the ssh daemons should not be accepting
RSA keys and must be forced to be interactive (avoid login scripts done
in expect or so).
Hope this helps!!
Travis H. wrote:
ssh need to be open on WAN interface and all user that have real shell
could be disabled for security concern.
Be careful when trying to disable users via their login shell:
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B