I think that this is a good idea.
  While the listed items apply clearly to telnetd/login/rlogind, the most
pressing need that I have is to be able to create classes of logins that can:
	 1) ftp, pop, login (on a dialup) but not telnet/ssh-with-plain-password
	 2) ssh with a password, but not ftp, pop, login, or telnet
	 3) login (on a dialup), but no network logins

  I don't care if we don't edit all the daemons, just so long as the
expressive power is there.
  Also, force chroot for certain classes of users.

  Plus, other variations that try to one to provide clear-text-fixed-passwords
for certain low-risk services (e.g. pop), while preventing that user from 
logging in with that same password to a high risk service (telnet).

  Also, the concept of a "secure" channel should be abstracted. SSH can
provide one, as can SSLtelnet, or telnet-over-IPsec.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: mcr@sandelman.ottawa.on.ca. PGP key available.