Restrict Access to Specific Hosts
Host-based Access Controls
(Allow login access to specific hosts based on netgroup membership.)
Setup a netgroup in LDAP to hold all users who will have admin status.
Tell the host where to find netgroups in the /etc/ldap.conf file:
nss_base_netgroup ou=netgroup,dc=example,dc=com scope one
Tell the host to refer to LDAP to find netgroups by editing the /etc/nsswitch.conf:
netgroup: files ldap
Configure access in the /etc/security/access.conf. The following lines allow all local accounts, allow users who are in the netgroup admin-users, and deny everything else.
+:ALL:LOCAL +:@admin-users:ALL -:ALL:ALL
Configure SSHD to use PAM by editing the /etc/ssh/sshd_config:
Edit the /etc/pam.d/system-auth to include the pam_access.so module (for account only) -- note that order is critical:
account required /lib/security/pam_access.so account sufficient /lib/security/$ISA/pam_unix.so debug account sufficient /lib/security/$ISA/pam_ldap.so debug
The above setting will allow all local accounts to login and any remote accounts must go through pam_access.so which will verify that the uid is in the proper netgroup. Note that this includes local accounts who are accessing this host via SSH -- they must be in the netgroup or they can't access it.
To allow additional users to access specific hosts, add them to the NIS netgroup admin or other as appropriate. Note that nscd might need to be restarted after LDAP replication completes for this change to take effect.