Re: [nssldap] restricting users to certain hosts?

[Patrick Wolfe <pwolfe [at] employease.com>]

What we do is create unix groups by "role" - group1 is allowed into all 
hosts, group2 into some other hosts, group3 into a subset of those.

Then use the /etc/security/access.conf file (/etc/login.access on 
FreeBSD) to designate who is allowed to access a particular host.  For 
example:

# allow the following unix users/groups only on the console
+: root operator : LOCAL

# allow the following unix users/groups to access this system from anywhere
+: group1 : ALL
+: group2 : ALL


You'll need to add the pam_access.so module to the account section of 
the appropriate file(s) in /etc/pam.d.  On RHEL it's /etc/pam.d/system-auth:

account     requisite     /lib/security/$ISA/pam_access.so
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet
account     [default=bad success=ok user_unknown=ignore] 
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so


Try it - it works great!   And check out the other files in 
/etc/security on Linux.  Limits.conf solved some other problems for us.


Adam Williams wrote:
> I've got several servers...arrowhead, archives3, saxon, etc.  I want 
> to prevent the users from ssh'ing into certain servers.  some should 
> only be able to ssh to arrowhead, others only to archives3, some can 
> access 2 out of the 3, or all 3, etc.  Is it possible to have this 
> configuration?  If so, how?