Re: Controlling server access

To: "Simon Tennant" <simon@imaginator.com>
Cc: "debian debian-isp" <debian-isp@lists.debian.org>, "Robin * Slomkowski" <robin@parts-unknown.com>
Subject: Re: Controlling server access
From: "Chris Jones" <chris@chris-j.net>
Date: Wed, 13 Sep 2006 08:38:48 +0930 (CST)
Message-id: <[🔎] 40937.143.92.3.10.1158102528.squirrel@webmail.toplevel.net.au>
In-reply-to: <[🔎] 4506C70D.50300@imaginator.com>
References: <[🔎] 4506C10F.3080305@imaginator.com> <[🔎] 4506C3BA.5030007@thecsl.org> <[🔎] 4506C70D.50300@imaginator.com>

On Wed, September 13, 2006 12:11 am, Simon Tennant wrote:
> Dan MacNeil wrote:
>>
>> man sshd_config says:
>>
>
> I am aware of that but that would imply having POSIX groups which list
> who can log into which boxes.  A user could do a "getent group
> groupname" to see who can access boxes which worries me somewhat.
>
> I am also aware of the pam_ldap filter setting that limits that can
> limit on groupOfNames groups.   My question was more orientated towards
> how people are approaching the problem/whether it is even a problem?
>
> S.
>

I seem to remember Debian's implementation of pam_ldap supporting a
directive that let you filter based on hostname using a multi-valued
property named something like "host" -- so a given username is either
completely unrestricted (no property), or can only log into a set list of
hosts.

YMMV.

-- 
Chris Jones
chris@chris-j.net

Reply to:

References:
- Controlling server access
  - From: Simon Tennant <simon@imaginator.com>
- Re: Controlling server access
  - From: Dan MacNeil <dan@thecsl.org>
- Re: Controlling server access
  - From: Simon Tennant <simon@imaginator.com>

Prev by Date: Re: System resource monitor tool
Next by Date: Re: Spamassassin & Investor Spam
Previous by thread: Re: Controlling server access
Next by thread: Re: Controlling server access
Index(es):
- Date
- Thread