[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Host-based login-shell

To: OpenLDAP Software <openldap-software@OpenLDAP.org>
Subject: Re: Host-based login-shell
From: John Beamon <jbeamon@franklinamerican.com>
Date: Mon, 07 Jul 2003 08:06:56 -0500
In-reply-to: <20030702161619.GA30848@schlonk>
Organization: Franklin American Mortgage
References: <20030702161619.GA30848@schlonk>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312

There is a "host" attribute in the cosine.schema included with common rpm installs. You can specify which hosts you want to allow people to login on and just omit specialhost.

Also, it sounds as if you actually want to prevent anyone who doesn't have access to the root password from logging in. That can be done with a PAM module called pam_require. It's hosted at splitbrain.org and featured on freshmeat.net and in a TOOLS section feature on securityfocus.com. pam_require allows you to require either a username or an "@group" membership for a user to access a service. That service can be ftp, sshd, or system-auth, depending on your needs, and the group membership can be maintained in LDAP. It sounds like a more flexible and secure solution than requiring root logins, since it would allow you to use sudo, "host" in LDAP, and groups to assign access and privilege. I've used it in combination with groups and sudo, and we've completely eliminated developers and users elevating to root to get work done on our systems now.

-j

Stephan Berndts wrote:

Hi,

we are using LDAP for user authentication in our network. Works fine for
most hosts. But we want one host (call it "specialhost") to be treated a
special way:

specialhost is our host which hosts all services we provide for the
outside world. Therefore no user shpuld be able to login as her/himself
but should be asked to become root immediately. At the moment this is
done by a shell script, which is made the login shell for all users in
/etc/passwd.
As we do not want to use logins via /etc/passwd any longer we have to
find a way to make LDAP provide a special login shell for all users
logging in to specialhost.

I searched the web and asked some people for solutions but did not find
one. The only thing I found is host-based access control which prevents
users completely from logging in. As we do not want to allow remote root
logins this is no option for us.

Hopefully someone has any idea that directs me to a solution.

Greetings from Berlin, Germany,
Stephan

References:
- Host-based login-shell
  - From: Stephan Berndts <stb-ldap@spline.de>

Prev by Date: Re: 2.0 or 2.1 for production system?
Next by Date: solaris 9 and openldap
Index(es):
- Chronological
- Thread