On Thu, Dec 17, 2009 at 09:54:05AM +0100, RalfGesellensetter wrote:
Am Mittwoch, 16. Dezember 2009 schrieb Jonas Smedegaard:Perhaps if you elaborate on the use case: I do not understand how you find PAM relevant for a case of (as I understand it) guest users on a separate subnet.Hi Jonas, thank you for asking questions. Aparently my use case was not described thoroughly enough: Apart from 5 guest users assigned to those 5 machines, our students use them as well (using their personal login). This implies that these machines are part of the 10.0.2.0/23 net and all accounts are in tjener's LDAP (no subnet).
Ahh, makes sense (even to me) now.As discussed already you can limit login via PAM settings. That can be circumvented by clever users, however.
For diskless clients you should be able to use shorewall - see the USER/GROUP column of the interfaces config file documented here: http://www.shorewall.net/manpages/shorewall-rules.html . For this to be really secure, the firewall should also block diskless client from talking to anything but their server(s), not circumvent the limits by somehow starting applications locally.
For more self-contained clients I believe Shorewall cannot support this requirement (if I understand it correctly). You should be able to do such things with the nufw tool, I believe.
- Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: Digital signature