[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSH groups

On 2/19/20 7:05 PM, Dave Macias wrote:
> If trying to access via ssh you can add to sshd_config file
> 
> # you gonna want root group....
> AllowGroups root blabla bla2 bla3 

Yes, that's one of the client-side solutions for limiting SSH access.
But you have to configure all the clients. With a decent config
management that's not that hard anymore. Still you have to model the
access control scheme in your config management.

Still it's much nicer to just modify LDAP entries to make an access
control change without having to reconfigure the Linux client systems.

Ciao, Michael.

> On Wed, Feb 19, 2020 at 1:01 PM Michael Ströder <michael@stroeder.com
> <mailto:michael@stroeder.com>> wrote:
> 
>     On 2/19/20 9:55 AM, Клеусов Владимир Сергеевич wrote:
>     > I connected ldap linux clients to the OpenLDAP server.
>     > I need to make a certain group of users able to connect to certain
>     > computers. How do I do this ?
>     With most LDAP posix user management deployments you have to configure
>     the Linux clients to query only certain user groups or configure other
>     PAM access control or similar.
> 
>     My Æ-DIR (based on OpenLDAP) provides views to the Linux clients based
>     on hosts' service group membership and the user groups referenced:
> 
>     https://www.ae-dir.com/docs.html#er-roles
> 
>     So no need to configure the clients (except bind-DN and host password).
> 
>     If you have many clients consider using aehostd for better search
>     performance / less load (see https://ae-dir.com/aehostd.html).
> 
>     Ciao, Michael.