[Date Prev][Date Next]
Re: Host-based login-shell
There is a "host" attribute in the cosine.schema included with common
rpm installs. You can specify which hosts you want to allow people to
login on and just omit specialhost.
Also, it sounds as if you actually want to prevent anyone who doesn't
have access to the root password from logging in. That can be done with
a PAM module called pam_require. It's hosted at splitbrain.org and
featured on freshmeat.net and in a TOOLS section feature on
securityfocus.com. pam_require allows you to require either a username
or an "@group" membership for a user to access a service. That service
can be ftp, sshd, or system-auth, depending on your needs, and the group
membership can be maintained in LDAP. It sounds like a more flexible
and secure solution than requiring root logins, since it would allow you
to use sudo, "host" in LDAP, and groups to assign access and privilege.
I've used it in combination with groups and sudo, and we've completely
eliminated developers and users elevating to root to get work done on
our systems now.
Stephan Berndts wrote:
we are using LDAP for user authentication in our network. Works fine for
most hosts. But we want one host (call it "specialhost") to be treated a
specialhost is our host which hosts all services we provide for the
outside world. Therefore no user shpuld be able to login as her/himself
but should be asked to become root immediately. At the moment this is
done by a shell script, which is made the login shell for all users in
As we do not want to use logins via /etc/passwd any longer we have to
find a way to make LDAP provide a special login shell for all users
logging in to specialhost.
I searched the web and asked some people for solutions but did not find
one. The only thing I found is host-based access control which prevents
users completely from logging in. As we do not want to allow remote root
logins this is no option for us.
Hopefully someone has any idea that directs me to a solution.
Greetings from Berlin, Germany,