User Tools

Site Tools


linux:group_login_restriction

Group Login Restriction

What is it?

When provisioning a machine (bare-metal or virtual) it may often be useful to only allow a certain group of users to access this machine. Since all our linux systems have a unified userbase via AD, we are able to identify a group of users through regular group management.

There are a few methods that we make use of achieve these restrictions.

access.conf

/etc/security/access.conf

This is the Login access control table. In this file, you can specify users and groups that are allowed access to the machine in question. The following examples assume are all done within access.conf

Keep in mind that this file is parsed from top to bottom, so the ordering of your directives DO MATTER!

Giving access to a user/group

+ : acmadmin : ALL + : (adminGroup) : ALL

In this example, we are giving access (+) to the username acmadmin on ALL access points

Deny access to everyone else

- : ALL : ALL

This will disallow login by all users from all sources. This should generally be done as the very last directive in the file.

In this example, we are giving access (+) to the username acmadmin on ALL access points

/etc/security/access.conf

+:root:ALL
+:acmadmin:ALL
+:(wheel):ALL
+:(AcmLanAdmins):ALL
-:ALL:ALL

pam

auth	   required	pam_access.so

add to /etc/pam.d/system-login

linux/group_login_restriction.txt · Last modified: 2018/10/15 20:18 by bmiddha