This shows you the differences between two versions of the page.
linux:group_login_restriction [2018/05/19 00:42] clee231 created |
linux:group_login_restriction [2021/05/02 21:36] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Group Login Restriction ====== | ||
- | |||
- | ====== What is it? ====== | ||
- | |||
- | When provisioning a machine (bare-metal or virtual) it may often be useful to only allow a certain group of users to access this machine. Since all our linux systems have a unified userbase via AD, we are able to identify a group of users through regular group management. | ||
- | |||
- | There are a few methods that we make use of achieve these restrictions. | ||
- | |||
- | |||
- | ====== access.conf ====== | ||
- | |||
- | /etc/security/access.conf | ||
- | |||
- | This is the Login access control table. In this file, you can specify users and groups that are allowed access to the machine in question. | ||
- | The following examples assume are all done within ''access.conf'' | ||
- | |||
- | Keep in mind that this file is parsed from top to bottom, so the **ordering of your directives DO MATTER**! | ||
- | |||
- | ===== Giving access to a group ===== | ||
- | |||
- | ''+ : acmadmin : ALL'' | ||
- | |||
- | In this example, we are giving access (''+'') to the username ''acmadmin'' on ''ALL'' access points | ||
- | |||
- | ===== Deny access to everyone else ===== | ||
- | |||
- | ''- : ALL : ALL'' | ||
- | |||
- | This will disallow login by all users from all sources. **This should generally be done as the very last directive in the file.** | ||
- | |||
- | In this example, we are giving access (''+'') to the username ''acmadmin'' on ''ALL'' access points | ||
- | |||
- | |||
- | <WRAP center round todo 60%> | ||
- | Finish me! | ||
- | </WRAP> | ||
- | |||
- | |||
- | ====== SSHD ====== | ||
- | |||
- | If your goal is to only restrict access via SSH, you can set the ''AllowGroups'' directive in ''/etc/ssh/sshd_config''. | ||
- | |||
- | <WRAP center round todo 60%> | ||
- | STUB | ||
- | </WRAP> | ||