On Sat, Nov 22, 2014 at 09:12:22PM +0100, Holger Levsen wrote:
> On Samstag, 22. November 2014, Wolfgang Schweer wrote:
> >
> > (1) Create a group like 'sshusers' on the root level
> > (where already other system management related groups like
> > 'gosa-admins' show up).
> > (2) Add users to the new group 'sshusers'.
> > (3) Add 'AllowGroups sshusers' to /etc/ssh/sshd_config
> > (4) 'service ssh restart'
>
> that almost reads as if it could be copied to the manual quite
> diretly, if you release this under the GPL2 :) (easiest way to do so
> would be if you just do the edit ;-)
Yes, but some more things have to be considered if LTSP is used:
The more complicated issue concerning LTSP clients could be solved (but
only for the dedicated thin client network) using PAM:
(1) enable pam_access.so in LTSP server's /etc/pam.d/sshd.
(2) configure /etc/security/access.conf to allow connections from
networks 192.168.0.0/24 and 192.168.1.0/24 (preconfigured in LDAP).
Note: someone pluging in his box into this network will gain ssh access
to the LTSP server as well.
If LTSP clients were attached to the backbone network 10.0.0.0/8 (combi
server or LTSP cluster setup) things would be even more cpmplicated and
maybe only a sophisticated DHCP setup (in LDAP) checking the
vendor-class-identifier together with apropriate PAM configuration would
do the trick, I suppose.
Wolfgang
Attachment:
signature.asc
Description: Digital signature