Re: Provide mechanism to limit ssh login in Debian Edu?
Am Samstag 22 November 2014, 10:37:19 schrieb Petter Reinholdtsen:
> One request that come up from time to time, is to provide a way in
> Debian Edu to limit who can log into ssh, either for the main server or
> from outside the school.
>
> One way to do this is to create a new group (say 'sshusers') and list it
> in /etc/ssh/sshd_config like this:
>
> AllowGroups sshusers
>
> This way only members of the sshusers group will be allowed to ssh into
> the machine with such setup.
>
> An alternative is to switch the logic around, and create a new group
> (say 'nosshlogin') and update /etc/ssh/sshd_config like this:
>
> DenyGroups nosshlogin
>
> This will block members of the group from login in via ssh.
>
> One challenge is that LTSP uses SSH to log in users when using LDM, so
> if ssh login on the LTSP server is blocked like this, the user will not
> be able to log in on LTSP clients either. One way around that might be
> to allow everyone on the school network to log in, but only members of a
> group (say 'remotesshlogin') access via ssh from outside the school.
>
> What do the rest of you think about such idea? Something for the
> version after Jessie? Perhaps something to document in the manual for
> Jessie? If so, which recipe should we recommend?
The most important question for me is, how can it be done with gosa, as it
is the so called central solution for user administration in our distro?
Greetings
Jürgen Leibner
Reply to: