Restrict Access to Specific Hosts

From Notes

Jump to: navigation, search

Host-based Access Controls

(Allow login access to specific hosts based on netgroup membership.)

Setup a netgroup in LDAP to hold all users who will have admin status.

Tell the host where to find netgroups in the /etc/ldap.conf file:

nss_base_netgroup ou=netgroup,dc=example,dc=com
scope one

Tell the host to refer to LDAP to find netgroups by editing the /etc/nsswitch.conf:

netgroup:   files ldap

Configure access in the /etc/security/access.conf. The following lines allow all local accounts, allow users who are in the netgroup admin-users, and deny everything else.

+:ALL:LOCAL
+:@admin-users:ALL
-:ALL:ALL

Configure SSHD to use PAM by editing the /etc/ssh/sshd_config:

UsePAM yes

Edit the /etc/pam.d/system-auth to include the pam_access.so module (for account only) -- note that order is critical:

account     required      /lib/security/pam_access.so
account     sufficient    /lib/security/$ISA/pam_unix.so debug
account     sufficient    /lib/security/$ISA/pam_ldap.so debug

The above setting will allow all local accounts to login and any remote accounts must go through pam_access.so which will verify that the uid is in the proper netgroup. Note that this includes local accounts who are accessing this host via SSH -- they must be in the netgroup or they can't access it.

To allow additional users to access specific hosts, add them to the NIS netgroup admin or other as appropriate. Note that nscd might need to be restarted after LDAP replication completes for this change to take effect.


Based on Red Hat Method

Personal tools