This shows you the differences between two versions of the page.
linux:group_login_restriction [2018/10/11 16:30] bmiddha |
linux:group_login_restriction [2021/05/02 21:36] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Group Login Restriction ====== | ||
- | |||
- | ====== What is it? ====== | ||
- | |||
- | When provisioning a machine (bare-metal or virtual) it may often be useful to only allow a certain group of users to access this machine. Since all our linux systems have a unified userbase via AD, we are able to identify a group of users through regular group management. | ||
- | |||
- | There are a few methods that we make use of achieve these restrictions. | ||
- | |||
- | |||
- | ===== access.conf ===== | ||
- | |||
- | /etc/security/access.conf | ||
- | |||
- | This is the Login access control table. In this file, you can specify users and groups that are allowed access to the machine in question. | ||
- | The following examples assume are all done within ''access.conf'' | ||
- | |||
- | Keep in mind that this file is parsed from top to bottom, so the **ordering of your directives DO MATTER**! | ||
- | |||
- | ===== Giving access to a user/group ===== | ||
- | |||
- | ''+ : acmadmin : ALL'' | ||
- | ''+ : (adminGroup) : ALL'' | ||
- | |||
- | In this example, we are giving access (''+'') to the username ''acmadmin'' on ''ALL'' access points | ||
- | |||
- | ===== Deny access to everyone else ===== | ||
- | |||
- | ''- : ALL : ALL'' | ||
- | |||
- | This will disallow login by all users from all sources. **This should generally be done as the very last directive in the file.** | ||
- | |||
- | In this example, we are giving access (''+'') to the username ''acmadmin'' on ''ALL'' access points | ||
- | |||
- | |||
- | <file|/etc/security/access.conf> | ||
- | +:root:ALL | ||
- | +:acmadmin:ALL | ||
- | +:(wheel):ALL | ||
- | +:(AcmLanAdmins):ALL | ||
- | -:ALL:ALL | ||
- | </file> | ||
- | |||
- | ====== pam ====== | ||
- | <code>auth required pam_access.so</code> | ||
- | add to /etc/pam.d/login and /etc/pam.d/sshd | ||