[COLUG] SSH AllowGroups / AllowUsers
Robert Foreman
robert.foreman at gmail.com
Tue May 13 14:13:15 EDT 2008
I use sshd_config to block root, but PAM for setting the AD group access.
I use winbind so I simply set
require_membership_of = adgroupname
in /etc/security/pam_winbind.conf
You may be able to do something similar in /etc/security/access.conf with:
+ : @nis_group adgroupname : ALL
- : ALL : ALL
I believe there is also a way to modify /etc/pam.d/system-auth to
require a group membership, but I'm always hesitant to modify the pam
files. Usually the only thing I add is the pam_mkhomedir.so line so it
dynamically creates the home directories (not using NFS home
directories).
I benefited a lot from Scott Lowe's blog. However, in the end I went
with winbind using "security = ads" and the new idmap domains option.
The krb5 portion is more or less the same.
I'm curious, why did you disable GSSAPI Authentication?
On Tue, May 13, 2008 at 9:15 AM, Scott Merrill <skippy at skippy.net> wrote:
> I'm preparing a new NFS server running RHEL 5.1 which is connected to
> our Active Directory (LDAP / Kerberos) infrastructure. This NFS
> server will share the /home partition that our various
> (to-be-installed) GNU/Linux lab machines will mount.
>
> I followed these instructions to get the NFS server joined to our AD:
> http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
>
More information about the colug432
mailing list