I updated pam_access to work for all of the PAM controls and it seems to be doing the job. I still have to test it from outside the local network to be sure.
Do you know if anyone would be interested in incorporating the changes that I made to .77 version? With very minor mods, they should work for the .99 version as well. PAM seems very useful once you get into it. It does not seem to have the documentation that would be required for most people to get more out of it. Too much "inside the beltway" for the average system administrator. I suppose in a web-centric world, there are other more obvious ways to skin a cat but one wonders how useful it could be if there was some documentation. It certainly seems like a very good idea and quite flexible from what I can figure out. Thanks to everyone for the advice and encouragement. You were right, it can be made to do what I want. Ron -----Original Message----- From: Barry Brimer [mailto:[EMAIL PROTECTED] Sent: March 31, 2006 6:13 PM To: Ron Wheeler Subject: Re: using PAM to permit local users. Quoting Ron Wheeler <[EMAIL PROTECTED]>: > I am using pam_listfile to permit a small list of users to have access to > sshd no matter where they log in > I also have to permit ssh access to any user on our local network. With > listfiles I have to list every machine name on the network. This is bit of a > pain. > > If listfiles understood wildcards, it would be ok. (*.silonex.com) > > To go at the problem more directly, how hard would it be to build a new > plug-in to take a network description and determine if the user is attached > to that network? > > auth required pam_localnet sense=allow tests for 192.168.x.x or > 10.x.x.x or ??? (I think there is one other private address range) > > OR > > auth required pam_net sense=allow net=192.168.1.0,205.151.82.0 test > for an arbitrary network this is more complex but perhaps more useful. > > This would solve my problem > > auth [success=1] pam_listfile.so sense=allow file=/etc/sshd/allowedusers > auth required pam_localnet.so sense=allow > auth required pam_winbind.so > auth required pam_nologin.so Have you considered pam_access? Barry
