LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Login Authenication (https://www.linuxquestions.org/questions/linux-software-2/login-authenication-476790/)

sunhui 08-23-2006 08:22 PM

Login Authenication
 
I have three server which are 192.168.0.1 , 192.168.0.2 , 192.168.0.3 ,
and have already setup the openldap authentication while 192.168.0.1 is
the master ldap server , now the user can authenticate via the ldap
then access the servers, however , some users should not be allowed to
login 192.168.0.2 , but now they can login this server via the ldap as
the ldap server accept the authentication , for example , the user run
'ssh 192.168.0.2' , the ldap accept the authentication then allow the
user to login this server , can advise how to forbid the unauthorized
user can access 192.168.0.2' ? thx

KenJackson 08-23-2006 09:37 PM

The SSH daemon on 192.168.0.2 can have an itemized list of either users or groups that are either allowed or denied access in the /etc/ssh/sshd_config file. See 'man sshd_config'.

For example:
Code:

AllowUsers fred steve slim
DenyUsers cracker sloppy

AllowGroups engineer science
DenyGroups account* manage*

Note that you could create a new supplemental group for this purpose and only put authorized users in that group. Then you could add users to the group and remove them as the needs change.

sunhui 08-24-2006 03:02 AM

Quote:

Originally Posted by KenJackson
The SSH daemon on 192.168.0.2 can have an itemized list of either users or groups that are either allowed or denied access in the /etc/ssh/sshd_config file. See 'man sshd_config'.

For example:
Code:

AllowUsers fred steve slim
DenyUsers cracker sloppy

AllowGroups engineer science
DenyGroups account* manage*

Note that you could create a new supplemental group for this purpose and only put authorized users in that group. Then you could add users to the group and remove them as the needs change.

thx reply,
how about telnet instead ssh , how to do what you said ? thx in advance.

KenJackson 08-24-2006 05:25 AM

To control logins via telnet, I believe you would have to use PAM, by creating or modifying a file, probably /etc/pam.d/telnetd, with some rules in it. I don't know enough to give instructions. See 'man pam'.

Also note that, at least on my Mandriva system, the file /etc/pam.d/sshd references a list of banned users, /etc/ssh/denyusers, so you could also use PAM to control SSH access. In fact, that's probably the preferred method.


All times are GMT -5. The time now is 10:29 AM.