On Sat, Nov 22, 2014 at 09:12:22PM +0100, Holger Levsen wrote: > On Samstag, 22. November 2014, Wolfgang Schweer wrote: > > > > (1) Create a group like 'sshusers' on the root level > > (where already other system management related groups like > > 'gosa-admins' show up). > > (2) Add users to the new group 'sshusers'. > > (3) Add 'AllowGroups sshusers' to /etc/ssh/sshd_config > > (4) 'service ssh restart' > > that almost reads as if it could be copied to the manual quite > diretly, if you release this under the GPL2 :) (easiest way to do so > would be if you just do the edit ;-) Yes, but some more things have to be considered if LTSP is used: The more complicated issue concerning LTSP clients could be solved (but only for the dedicated thin client network) using PAM: (1) enable pam_access.so in LTSP server's /etc/pam.d/sshd. (2) configure /etc/security/access.conf to allow connections from networks 192.168.0.0/24 and 192.168.1.0/24 (preconfigured in LDAP). Note: someone pluging in his box into this network will gain ssh access to the LTSP server as well. If LTSP clients were attached to the backbone network 10.0.0.0/8 (combi server or LTSP cluster setup) things would be even more cpmplicated and maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with apropriate PAM configuration would do the trick, I suppose. Wolfgang
Attachment:
signature.asc
Description: Digital signature