 | | | restrict remote logins to service accounts. | restrict remote logins to service accounts. 2006-01-17 - By Rene Grabner
Back
David,
one can configure PAM to do this for you.
First, for ssh just add in /etc/pam.d/sshd this line:
account required pam_access.so
Then you can define in /etc/security/access.conf who is allowed to log
in, e.g.:
-:ALL EXCEPT root @(protected):ALL
Now, only root and members in netgroup 'trusted' are able to log in via
ssh. Instead of netgroups you can also list the users directly,
separated by spaces.
We use this successfully on a number of machines to easily restrict or
permit logins via netgroups in LDAP (or NIS).
regards,
Rene
On Tue, 2006-01-17 at 16:35, David.Knight@(protected) wrote:
> All,
> I have an issue with Admins/DBA's logging into my servers directly as
> service accounts such as user 'oracle'. I have had a hard time getting
> people to adopt the use of sudo. I am at the point where I need to
> restrict direct logins to these accounts. My goal is to force people
> to sudo to the service accounts from there assigned user account. I
> only allow ssh/scp connections to my servers. I have tried the
> sshd.config option "AllowUsers" but this also restricts scp logins. I
> can;t restrict this for automated processes run under the service
> accounts use scp. So the only thing I need to restrict is direct
> remote "ssh" logins.
> Any suggestions would be great.
>
> -David Knight
>
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
|