2009/6/16 solarflow99 <[email protected]> > > > On Tue, Jun 16, 2009 at 12:52 AM, Domenico Viggiani > <[email protected]>wrote: > >> solarflow99 wrote: >> > I think it can be done with remote logging, >> > you can log everything to a network location. >> > I'm sure it can be done with available tools, if necessary. >> >> Main requirements are: >> 1- identifying users and not allowing "generic" login, both from network >> and >> consoles (and "remote" consoles) >> 2- protecting logs from tampering and archiving for 6 months >> >> For point 1): >> >> - I can use centralized login to LDAP/Active Directory (Red Hat provides >> it >> with standard tools) and allow network access only to "personal" accounts: >> can I specify users/groups in SSH config? > > > sounds like you need to refuse shell access? If you enable ldap, then all > services automatically use it, so it would still allow ssh access if sshd is > configured. >
No, he needs to do "man sshd_config" and look for the AllowGroups/DenyGroups and/or AllowUsers/DenyUsers directives - that part of Domenico's requirements is simplest to satisfy. The rest needs more information, but can probably be accomplished by editing some of /etc/pam.d/* -- Sam
_______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
