restrict remote logins to service accounts.

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Installation - Getting started with Red Hat Linux

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	X Windows problem (xauth)
•	Upgrading openoffice 1 1 rpm
•	FTP: connection refused
•	FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	broadcom network interface
•	make mrproper
•	sendmail configuration on redhat
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	Promise 378 controller
•	kernel 2 6 and /dev/sound/mixer not found
•	Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	Lotus Notes under Wine
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	Command stream end of file while reading
•	rpm database corrupt
•	qla2300 modules

restrict remote logins to service accounts.

restrict remote logins to service accounts.

2006-01-17 - By David.Knight@(protected)

Back

Reply: 1 2 3 4 5 6 7 8 9 10 >>

Rene,
I gave this a shot and it did indeed allow me to restrict based on a list
if users as describe. However it also rejects scp/sftp connections. Is
there a way to just configure it to reject ssh?

Thanks for the help.
David Knight

"Rene Grabner" <rene.grabner@(protected)>
Sent by: taroon-list-bounces@(protected)
01/17/2006 10:04 AM
Please respond to "Discussion of Red Hat Enterprise Linux 3 (Taroon)"

To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list@(protected)>
cc:
Subject: Re: restrict remote logins to service accounts.

David,

one can configure PAM to do this for you.
First, for ssh just add in /etc/pam.d/sshd this line:
account required pam_access.so

Then you can define in /etc/security/access.conf who is allowed to log
in, e.g.:

-:ALL EXCEPT root @(protected):ALL

Now, only root and members in netgroup 'trusted' are able to log in via
ssh. Instead of netgroups you can also list the users directly,
separated by spaces.

We use this successfully on a number of machines to easily restrict or
permit logins via netgroups in LDAP (or NIS).

regards,
Rene

On Tue, 2006-01-17 at 16:35, David.Knight@(protected) wrote:
> All,
> I have an issue with Admins/DBA's logging into my servers directly as
> service accounts such as user 'oracle'. I have had a hard time getting
> people to adopt the use of sudo. I am at the point where I need to
> restrict direct logins to these accounts. My goal is to force people
> to sudo to the service accounts from there assigned user account. I
> only allow ssh/scp connections to my servers. I have tried the
> sshd.config option "AllowUsers" but this also restricts scp logins. I
> can;t restrict this for automated processes run under the service
> accounts use scp. So the only thing I need to restrict is direct
> remote "ssh" logins.
> Any suggestions would be great.
>
> -David Knight
>

--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list

 Rene,
 I gave this a shot and it did indeed
allow me to restrict based on a list if users as describe. However it also
rejects scp/sftp connections. Is there a way to just configure it to reject
ssh?
 
 Thanks for the help.
 David Knight
 
 
 
 
<table width=100%>
<tr valign=top>
<td>
<td>"Rene Grabner" <rene.grabner
@(protected)>
 Sent by: taroon-list-bounces@(protected)
01/17/2006 10:04 AM
 Please respond to "Discussion of
Red Hat Enterprise Linux 3 (Taroon)"
<td>        
         To:
       "Discussion of Red Hat Enterprise
Linux 3 (Taroon)" <taroon-list@(protected)>
         cc:
       
         Subject:
       Re: restrict remote logins to service
accounts.</table>
 
 
 <tt>David, 
 
one can configure PAM to do this for you. 
First, for ssh just add in /etc/pam.d/sshd this line: 
account    required     pam_access.so 
 
Then you can define in /etc/security/access.conf who is allowed to log 
in, e.g.: 
 
-:ALL EXCEPT root @(protected):ALL 
 
Now, only root and members in netgroup 'trusted' are able to log in via 
ssh. Instead of netgroups you can also list the users directly, 
separated by spaces. 
 
We use this successfully on a number of machines to easily restrict or 
permit logins via netgroups in LDAP (or NIS). 
 
regards, 
Rene 
 
 
On Tue, 2006-01-17 at 16:35, David.Knight@(protected) wrote: 
> All, 
> I have an issue with Admins/DBA's logging into my servers directly
as 
> service accounts such as user 'oracle'. I have had a hard time getting 
> people to adopt the use of sudo. I am at the point where I need to 
> restrict direct logins to these accounts. My goal is to force people 
> to sudo to the service accounts from there assigned user account.
I 
> only allow ssh/scp connections to my servers. I have tried the 
> sshd.config option "AllowUsers" but this also restricts
scp logins. I 
> can;t restrict this for automated processes run under the service 
> accounts use scp. So the only thing I need to restrict is direct 
> remote "ssh" logins. 
> Any suggestions would be great. 
> 
> -David Knight 
> 
 
 
 
-- 
Taroon-list mailing list 
Taroon-list@(protected) 
https://www.redhat.com/mailman/listinfo/taroon-list 
</tt>
 
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list