On Sun, 16 Nov 2003, Pete Nesbitt wrote: > On November 16, 2003 09:40 pm, Himanshu Arora wrote: > > Hi All! > > I want to know that how can i force a particular user to login on a > > server from a particular PC ? I also want that root can login only from > > one place at a time? How can i do this ? > > > > Regards > > Himanshu Arora > > IIIT Hyderabad > > > Hi, > for restricting userid on local machine coming from a particular remote > machine, presuming ssh, you can use tcpwrappers combined with pam. This is > not the best for a security based solution unless you want to get in to key > based authentications, but it does a pretty good job. > (I have a more secure set in docs area as "Limiting SSH Access" at > www.linux1.ca). > > See "hosts_access" man pages for tcpwrappers, but basicly add to > /etc/hosts.allow: > sshd: 123.123.123.123 #the remote to connect from. > Note that you need to set up tcpwrappers properly, not just add that line or > you may have other connectivity issues. I will not address that unless > needed. > > The pam part is a bit more complicated. > Basicly edit /etc/pam.d/sshd > adding "/lib/security/pam_access.so accessfile=/etc/security/access.conf_ssh" > touch /etc/security/access.conf_ssh > add to it: > +:ALL:192.168.1.0. mymachine.mylan.com .localdomain > +:the_user:.myremotesite.com > -:ALL:ALL > > That allows all machines, any ID on the local net (198...) and "the_user" from > the site "myremotesite.com" and rejects all others. > This assumes that "the_user" is not accessing from within your local network. > > Not sure about it off hand, but there should be a way to limit the number of > root accesses, maybe also via pam(?). Can't help with that one. Be carefule when using pam_access. Pam_access makes the bad assumption that a user will have a tty allocated, and not all applications do this. For example, if you used pam_access to authenticate an inet service, your allowed users will always be rejected. I know this because I've found out the hard way. If you google around you will find people wondering why their ftp service refuses user logins when using pam_access to limit control. Alternately I do recommend taking a look at pam_listfile. It's simpler than pam_access, but unfortunately pam_listfile does not check where a connection is being made from because that's hard to do universally in a pam module, and using vty info is probably the best you can hope for. For sshd though, tcpwrappers is probably the prefered path for limiting who can login from where, as discussed above by Peter Nesbitt. -- Matthew Galgoci System Administrator Red Hat, Inc 919.754.3700 x44155 -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
