[COLUG] SSH AllowGroups / AllowUsers

Greg Sidelinger gate at ilive4code.net
Tue May 13 17:17:35 EDT 2008 

Yes pam_access can help you.

/etc/security/access.conf contains a list of users/groups who can  
login to the server and from where.


You may need to add
account          required             pam_access.so
to your /etc/pam.d/system-auth or other pam config files.

An example access.conf file that I use, from memory since I only use  
this at work and have left for the day.

+:root:ALL #Let sshd restrict if root can login
+:adminGroup:ALL
+:userGroup:ALL
+:applicationID:ALL
+:ALL:LOCAL  # if on the console or an existing login let them login
-:ALL:ALL


I have ran into issues with this setup.  Some time's it just bugs  
which where fixed upstream. SLES 10 had an issue where all cron  
scripts failed to run when I enabled pam_access. It was fixed in SP1.  
I have had other small issues with RHEL 3 and some non user accounts  
not being permitted to run from scripts. Adding them to the  
access.conf file from ALL usually solved the issue.  pam_access is  
very good at logging in /var/log/messages (on RHEL) when it causes the  
failure so issues related to it are pretty easy to track down.

Greg



On May 13, 2008, at 2:13 PM, Robert Foreman wrote:

> I use sshd_config to block root, but PAM for setting the AD group  
> access.
>
> I use winbind so I simply set
>
> require_membership_of = adgroupname
>
> in /etc/security/pam_winbind.conf
>
> You may be able to do something similar in /etc/security/access.conf  
> with:
>
> + : @nis_group adgroupname : ALL
> - : ALL : ALL
>
> I believe there is also a way to modify /etc/pam.d/system-auth to
> require a group membership, but I'm always hesitant to modify the pam
> files. Usually the only thing I add is the pam_mkhomedir.so line so it
> dynamically creates the home directories (not using NFS home
> directories).
>
> I benefited a lot from Scott Lowe's blog. However, in the end I went
> with winbind using "security = ads" and the new idmap domains option.
> The krb5 portion is more or less the same.
>
> I'm curious, why did you disable GSSAPI Authentication?
>
> On Tue, May 13, 2008 at 9:15 AM, Scott Merrill <skippy at skippy.net>  
> wrote:
>> I'm preparing a new NFS server running RHEL 5.1 which is connected to
>> our Active Directory (LDAP / Kerberos) infrastructure.  This NFS
>> server will share the /home partition that our various
>> (to-be-installed) GNU/Linux lab machines will mount.
>>
>> I followed these instructions to get the NFS server joined to our AD:
>>   http://blog.scottlowe.org/2007/01/15/linux-ad-integration- 
>> version-4/
>>
> _______________________________________________
> colug432 mailing list colug432 at colug.net
> http://www.colug.net/mailman/listinfo/colug432
>

More information about the colug432 mailing list