Re: Controlling server access
On Wed, September 13, 2006 12:11 am, Simon Tennant wrote:
> Dan MacNeil wrote:
>>
>> man sshd_config says:
>>
>
> I am aware of that but that would imply having POSIX groups which list
> who can log into which boxes. A user could do a "getent group
> groupname" to see who can access boxes which worries me somewhat.
>
> I am also aware of the pam_ldap filter setting that limits that can
> limit on groupOfNames groups. My question was more orientated towards
> how people are approaching the problem/whether it is even a problem?
>
> S.
>
I seem to remember Debian's implementation of pam_ldap supporting a
directive that let you filter based on hostname using a multi-valued
property named something like "host" -- so a given username is either
completely unrestricted (no property), or can only log into a set list of
hosts.
YMMV.
--
Chris Jones
chris@chris-j.net
Reply to: