On Thu, Jan 24, 2013 at 5:24 PM, John P Arends <jare...@northwestern.edu> wrote: > I want to make sure if someone also gets local console access somehow they > still can't get in. That's my concern with just making changes to how sshd > authenticates.
One way I've dealt with this, and a pretty simple one, is not use LDAP account management at all. Use local user accounts, and allow those to *authenticate* against the Kerberos server. Look up the "authconfig" options to see how to do this: it allows local account management, including the use of restricted shells and locallized uid's and group membership, without having to manage anything but the passwords on the upstream Samba or AD servers. It even allows the shell to be "/sbin/nologin" or alternative access limited home directories for shared "scp" or even "rssh" based access. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba