On November 16, 2003 09:40 pm, Himanshu Arora wrote:
> Hi All!
> I want to know that how can i force a particular user to login on a
> server from a particular PC ? I also want that root can login only from
> one place at a time? How can i do this ?
>
> Regards
> Himanshu Arora
> IIIT Hyderabad
Hi,
for restricting userid on local machine coming from a particular remote
machine, presuming ssh, you can use tcpwrappers combined with pam. This is
not the best for a security based solution unless you want to get in to key
based authentications, but it does a pretty good job.
(I have a more secure set in docs area as "Limiting SSH Access" at
www.linux1.ca).
See "hosts_access" man pages for tcpwrappers, but basicly add to
/etc/hosts.allow:
sshd: 123.123.123.123 #the remote to connect from.
Note that you need to set up tcpwrappers properly, not just add that line or
you may have other connectivity issues. I will not address that unless
needed.
The pam part is a bit more complicated.
Basicly edit /etc/pam.d/sshd
adding "/lib/security/pam_access.so accessfile=/etc/security/access.conf_ssh"
touch /etc/security/access.conf_ssh
add to it:
+:ALL:192.168.1.0. mymachine.mylan.com .localdomain
+:the_user:.myremotesite.com
-:ALL:ALL
That allows all machines, any ID on the local net (198...) and "the_user" from
the site "myremotesite.com" and rejects all others.
This assumes that "the_user" is not accessing from within your local network.
Not sure about it off hand, but there should be a way to limit the number of
root accesses, maybe also via pam(?). Can't help with that one.
--
Pete Nesbitt, rhce
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
