You can restrict host access based on a user's groups.
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html
We did something similar a few years back (I can't remember the name of
the pam module we used) but basically users were categorized in to
certain groups (staff, student, sy, etc) and those groups were allowed
on to certain hosts.
The other technique we tried was to divide our hosts into 5 categories
and give each user 5 shell attributes (public-shell, backend-shell,
etc). Then the hosts used attribute mapping to pick the correct shell.
People that weren't allowed on to a host got a shell of /sbin/nologin
for the relevant shell.
Christian Caruthers wrote:
Thanks for the reply. That thread goes over everything I've tried to date.
Using the host attribute in the user's ldif entry works fine, but we're
controlling access to over a hundred hosts for over three hundred users.
Keeping track of that could become a real headache. Is there a way to
reference a netgroup in the host field. For example, I have:
dn: cn=staffhosts,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: staffhosts
nisNetgroupTriple: (compute1.cluster.net,-,)
nisNetgroupTriple: (compute2.cluster.net,-,)
Can I reference this group in the user entry? I've tried:
dn: uid=user1,ou=people,dc=example,dc=com
cn: User1 Name
gidNumber: 10000
givenName: User1
homeDirectory: /home/uid1
loginShell: /bin/bash
sn: Name
uid: user1
uidNumber: ##########
userPassword: {SSHA}
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
host: @staffhosts
In the client's /etc/ldap/conf, I have:
pam_check_host_attr yes
nss_base_netgroup ou=netgroup,dc=example,dc=com?one
This didn't work. Any suggestions?
If I can't reference a netgroup, does the host attribute accept wildcards or
regular expressions?
On 3/5/09 11:37 AM, "Adam Williams" <[email protected]> wrote:
http://www.nabble.com/restricting-users-to-certain-hosts--to15832812.html
Christian Caruthers wrote:
I have been looking around for an answer to this for a few days. I have a
cluster of machines and I want to limit who can login where without messing
too much with config files on individual machines. I thought I could do
something using netgroups, but I've had little luck. So far, the only thing
that has worked is using "pam_check_host_attr yes" coupled with a list of
hosts in the user's entry. I've tried creating a netgroup of hosts and
referencing that in the host entry, but that didn't work. I'm trying to
avoid having to list out over a hundred hosts in a user's LDAP entry.
Ideally, I would like to create groups of hosts and allow users access to
those host groups. Is there some documentation about the host declaration
that I'm missing?
Sorry if this has been covered before, but I didn't see any area where I can
search the archive.
Thanks
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Christian Caruthers, System Administrator, SSAI
NASA Langley Research Center Atmospheric Sciences Data Center
Mail Stop 157D
2 South Wright St., Bldg. 1268C, Room 2303G
Hampton, VA 23681-2199
[email protected]
Phone: (757)864-7569 Mobile: (757)272-9583
http://eosweb.larc.nasa.gov Fax: (757)864-8807
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
"A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete fools."
- Douglas Adams
