I'm looking for a way to restrict specified users to a specific
interface or network. Out ftp server is in a DMZ and I'd like some
accounts to be able to ftp in only from the internal network. Either
interface name or a list of subnets would be acceptable.
>From the research I've done, pam_listfile gets close. It restricts
globally using the ftpusers file. If I could combine this with an
interface, then I could have ftpusers-internal and ftpusers-external
restrictions.
2 questions: At this point in the authentication process, does
pam_listfile know what interface or subnet the user came in on?
Obviously I'm not much of a PAM expert. Secondly, if this information
is known, how much effort would it be to add the option to pam_listfile?
Interface name would be preferred since eth0 is much easier to deal with
than 10 subnets...
Am I barking up the wrong tree? Is there another mechanism that I'm not
aware of yet that is better suited to this level of checking?
This server is currently running 6.2 (pam 0.72)
Thanks,
.../Ed
--
Ed Wilts, Mounds View, MN, USA
mailto:ewilts@ewilts.org
Member #1, Red Hat Community Ambassador Program
_______________________________________________
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list
