On Fri, Dec 18, 2009 at 11:28:31AM +0100, RalfGesellensetter wrote:
User lib01 (in ldap) should only be allowed to login from static50 (10.0.2.100) - a semi-public accessible machine in our library. Especially, the anonymous account lib01 should not be used from within a class lab.The more I think about it, I feel there is a seperate solution for different protocols/profiles:For LTSP, it's not a big deal to block user lib01 in Xsession, I think. For workstations, it might get a bit harder, but possibly lib01 could get a .profile script closing the session if run from the wrong host.For Samba clients, there might be a way either in login.bat or in smb.conf to restrict login to specific hosts.But as all kind of protocols/profiles log to auth.log, pam could still be a central point of blocking...
PAM is ok when we talk about static rules. My earlier talk about firewall setup was only due to your (earlier) request for time-based rules.
Dot-files are bad to use for this: They are editable by the user herself so can be circumvented! For Xsession (if you want to use that) add scripts below /etc/X11/Xsession.d (or something like that) instead.
Regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: Digital signature