| Local user controls who may SSH | ||
|---|---|---|
 | Part I. Miscellaneous subjects (and those still to be sorted) |  |
| Local user controls who may SSH | ||
|---|---|---|
| | Part I. Miscellaneous subjects (and those still to be sorted) | |
If the user is logged in on the console or via KDM, they are allowed to edit /etc/users_allowed_ssh, in which they may list accounts allowed to SSH to their machine.
The configuration files must be set like this:
In /etc/security/group.conf, there must be a line
<snip>
kdm|login; *; p*; Al0000-2400; sshadmin
And of course the file /etc/users_allowed_ssh must exist and have appropriate permissions and ownership:
addgroup --system sshadmin
echo "#Users listed in this file are allowed to ssh to this machine" > /etc/users_allowed_ssh
chgrp sshadmin /etc/users_allowed_ssh
chmod 660 /etc/users_allowed_ssh
The finally we need to enforce that only users listed in /etc/users_allowed_ssh may log in in.
We do this in /etc/pam.d/sshd:
<snip>
# auth methods here are independent of /etc/users_allowed_ssh
auth requisite pam_listfile.so onerr=fail item=user sense=allow file=/etc/users_allowed_ssh
# auth methods here only evaluated if user listed in /etc/users_allowed_ssh
<snip>
| |  | |
| CIFS: text file busy |  | Getting last mont's number of users of a PC from the logging database |