Hi,
I've been trying to implement netgroup based centralized authentication
control with pam. The downside of using pam_access with @users@@hosts
syntax is that when you have a group of users and group of hosts, it
seems all the users are allowed to log in to those hosts in defined
group. Therefor that requires configuration on every host - a host has
to know which group to honor. pam_acces doesn't seem to check the host
entry in triple neither.
A little exploration showed pam_succeed_if seems to have "innetgr"
option so I thought it would have been the solution which it wasn't as
PAM_RHOST is given as an argument to innetgr() instead of local host
name so it would have been possible to limit the hosts users can log in
from but not where users can log in to. So my question is, is there any
standard pam module with netgroup checking capabilities except
pam_access? The one that would allow using machine's own hostname in
innetgr -call instead od PAM_RHOST? With one, one could pretty easily
centralize login access control - in this case to ldap as the machines
are already authenticating from there - without the need to have
different configurations on different machines. Instead you would be
able to write user and host pairs to ldap without touching the servers.
-lassi
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
