Allowing/Denying login by group
 

We are using an LDAP database to store user and group accounts. Currently any user in the database can login to any server. We have one server that hosts sensitive data and only certain users should be able to access it. I would like to create a group in LDAP, and allow only members of that group, login privileges to that server. I tried using /etc/login.access to achieve this, but even with the only line "-:ALL:ALL", anyone in LDAP can successfully login to the system. Any suggestions?

I was hoping to resolve this with an answer that involved pam... however this not the case.

pam seems to be the mythical documentation beast. We know it exists, but hell it's a pain to work magic with it. Hopefully, another veteran can find some insight in that area.

In any event, assumming sshd is your form of remote terminal access, you can just specify AllowGroups in your sshd_config file.

AllowGroups takes a list of groups that are allowed to login and all others will be denied access.

So assumming 'getent group' is working on your system this should do fine.

Yeah, that's the only thing I can do(restrict ssh access). Considering the server is locked in the server root, it should actually be quite secure. What if the server weren't physically secure though? There has to be some way to do this.