When provisioning a machine (bare-metal or virtual) it may often be useful to only allow a certain group of users to access this machine. Since all our linux systems have a unified userbase via AD, we are able to identify a group of users through regular group management.
There are a few methods that we make use of achieve these restrictions.
/etc/security/access.conf
This is the Login access control table. In this file, you can specify users and groups that are allowed access to the machine in question.
The following examples assume are all done within access.conf
Keep in mind that this file is parsed from top to bottom, so the ordering of your directives DO MATTER!
+ : acmadmin : ALL
+ : (adminGroup) : ALL
In this example, we are giving access (+) to the username acmadmin on ALL access points
- : ALL : ALL
This will disallow login by all users from all sources. This should generally be done as the very last directive in the file.
In this example, we are giving access (+) to the username acmadmin on ALL access points
/etc/security/access.conf
+:root:ALL +:acmadmin:ALL +:(wheel):ALL +:(AcmLanAdmins):ALL -:ALL:ALL
auth required pam_access.so
add to /etc/pam.d/system-login