[389-users] Migrating to LDAP authentication
Morris, Patrick
patrick.morris at hp.com
Tue Feb 2 17:55:59 UTC 2010
Sean Carolan wrote:
>> You can either continue as usual with an authorized_keys file in their
>> home directories, or look at the LPK patch available for OpenSSH that
>> allows storing public keys in LDAP.
>>
>> Having the users in LDAP has absolutely no effect on how key-based
>> logins work with SSH, but it does open up some other options.
>>
>
> So the easiest route to take might be to dis-allow ssh logins for
> everyone except my few authorized users via the /etc/security/access
> file? And then to allow exceptions on a case by case basis using this
> file as well?
>
/etc/security/access is definitely an option, as would be putting them
all in a group and using "AllowGroups [your group]" in the sshd_config,
among other possibilities.
Doing something group-based is typically pretty easy to manage.
More information about the 389-users
mailing list