Hi all,
I have the following lines in my file /etc/security/access.conf for the purpose of my testing.
- : bryan.harris.adm : ALL
- : ALL : ALL
When I place the following into /etc/pam.d/sshd I can prevent my login. The error is "pam_access(sshd:account): access denied for user `bryan.harris.adm' from" which looks like exactly what I want to see.
account required pam_access.so
When I place the following into /etc/pam.d/sshd I can once again login just fine and access.conf seems to be ignored.
account required pam_access.so listsep=,
The motivation is that I want to only allow the AD group "Linux Admins" (without quotes) to be able to login. So eventually I want to get a line like - : @Linux Admins : ALL into my /etc/security/access.conf file.
Can anyone explain how I can make this work properly? I doubt I can convince the Windows guys to not use spaces in their group names but I could try.
Or is it better for me to just use ldap_access_filter and leave the security up to sssd? The reason I looked into access.conf was to have another security layer "just in case", but if that's redundant and unnecessary than I suppose I don't need any of this anyway.