On Sat, Nov 22, 2014 at 09:12:22PM +0100, Holger Levsen wrote: > On Samstag, 22. November 2014, Wolfgang Schweer wrote: > > > > (1) Create a group like 'sshusers' on the root level > > (where already other system management related groups like > > 'gosa-admins' show up). > > (2) Add users to the new group 'sshusers'. > > (3) Add 'AllowGroups sshusers' to /etc/ssh/sshd_config > > (4) 'service ssh restart' > > that almost reads as if it could be copied to the manual quite > diretly, if you release this under the GPL2 :) (easiest way to do so > would be if you just do the edit ;-) Yes, but some more things have to be considered if LTSP is used:
The more complicated issue concerning LTSP clients could be solved (but
only for the dedicated thin client network) using PAM:
(1) enable pam_access.so in LTSP server's /etc/pam.d/sshd.
(2) configure /etc/security/access.conf to allow connections from
networks 192.168.0.0/24 and 192.168.1.0/24 (preconfigured in LDAP).
Note: someone pluging in his box into this network will gain ssh access
to the LTSP server as well.
If LTSP clients were attached to the backbone network 10.0.0.0/8 (combi
server or LTSP cluster setup) things would be even more cpmplicated and
maybe only a sophisticated DHCP setup (in LDAP) checking the
vendor-class-identifier together with apropriate PAM configuration would
do the trick, I suppose.
Wolfgang
signature.asc
Description: Digital signature
