LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-24-2010, 09:57 AM   #1
Poil
LQ Newbie
 
Registered: Feb 2008
Posts: 5

Rep: Reputation: 0
Question ssh local account / ldap account


Hi,
Here is my problems :

Today,
- Ldap accounts are allowed to connect on SSH
- Local account are not allowed to connect on SSH
Ldap account is allowed by "/etc/pam/sshd" :
Code:
auth       required     pam_listfile.so item=group sense=allow file=/etc/security/allowed-groups onerr=succeed
I would like to :
- Permit LDAP account to connect on SSH with a publickey or a password
- Permit Local account to connect on SSH with a publickey but deny with password)

They are some options on sshd_config like PubkeyAuthentication and PasswordAuthentication; but these options seem to be for all account.

Is there any way to do this ?
If possible, I don't want to put all my local users in a same "global local group"

Best regards,
 
Old 02-24-2010, 01:55 PM   #2
never say never
Member
 
Registered: Sep 2009
Location: Indiana, USA
Distribution: SLES, SLED, OpenSuse, CentOS, ubuntu 10.10, OpenBSD, FreeBSD
Posts: 195

Rep: Reputation: 37
Only way I can think of to accomplish what you want is to run multiple ssh daemons. That of course means you will have to select a port other than port 22 for one of them.
 
Old 02-24-2010, 06:26 PM   #3
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
If you can separate them into 2 groups, I think the sshd_config Match option http://www.openbsd.org/cgi-bin/man.c...nfig&sektion=5 will do the trick.
 
Old 02-25-2010, 04:44 AM   #4
Poil
LQ Newbie
 
Registered: Feb 2008
Posts: 5

Original Poster
Rep: Reputation: 0
That was exactly what I want, but Match option is in opensshd>=4.4
I'm using RHEL5.4 who have got a 4.3 ...

Last edited by Poil; 02-25-2010 at 04:49 AM.
 
Old 02-25-2010, 09:43 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
You might want to check that; RH backport changes, so the version num doesn't change, but the release num does.
Quote:
Software as Packages
• package-version-release.arch.rpm
• version - upstream developer version
• release - packager modifies (fixes/backports documented in “changelog”)
• arch - processor architecture of binaries
 
Old 02-26-2010, 01:04 AM   #6
Poil
LQ Newbie
 
Registered: Feb 2008
Posts: 5

Original Poster
Rep: Reputation: 0
Unhappy

This functionnality isn't backported

https://bugzilla.redhat.com/show_bug.cgi?id=529918
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP authentication without local account viveksnv Linux - Security 2 10-12-2009 07:39 PM
Erased old account for new one; forgot to give admin priv to new account. RHLinuxGUY Ubuntu 3 08-10-2008 07:56 PM
Why is my common account can't open Terminal in XFCE4 but root account? notsay Slackware 4 08-18-2007 11:29 PM
LDAP Account Manager metallica1973 Linux - Networking 1 03-10-2007 01:04 AM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM


All times are GMT -5. The time now is 08:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration