> 	1. you can ftp/telnet to from some IP addresses (or some ttys), but
> 	SSH only with RSA Auth to from others. 

Firewall.

> 	2. accounts can ftp, pop, but not SSH in.

Will logincap actually do this?

> 	3. accounts can POP in, and SSH in, but not with a password, at the
> 	same time, the same IP may have to be permitted to telnet in to use
> 	a different account (i.e. one that doesn't let them out of the
> 	program) 

What about this?

> 	4. all of the above, but now with CryptoCard, SecureID and s/key.
> 	i.e. you can telnet in with your password from host1, you must use
> 	your SSH RSA Auth key from host2, but I'll let you do FTP with
> 	SecureID from host3.

And this?

Would you be offended if I pointed out that you've described an
surprisingly complicated authentication scheme?   Is this really what
you want, or are you being forced into it because of failings of the
technology that's currently available?

Anytime I see complexity and security in the same place, I get *real*
nervous.

			       _MelloN_