Simon Tennant wrote:
I am curious about how other Debian sys-admins currently authorize who can log onto their servers. We are thinking about LDAPing a large number of servers but this will currently lead to all user then being able to log onto the servers. What are other's doing to limit this to a small subset of users who can ssh in? S.
man sshd_config says: AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. '*' and '?' can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups.--I think somebody pointed this out to me. I don't think I read the man page on my own.