[389-users] Per host access

Ali Jawad ali.jawad at splendor.net
Tue Mar 6 07:50:53 UTC 2012 

Hi
The users are authenticating using their passwords, pam_ldap is being
called in /etc/pam.d/system-auth. Please see

cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

Openssh version is latest stable for CentOS 5.x which
is openssh-4.3p2-72.el5_7.5

As said ldap authentication using 389 dir server works fine, I just want to
limit access to certain hosts per user.

Thanks

On Mon, Mar 5, 2012 at 8:03 PM, Iain Morgan <Iain.Morgan at nasa.gov> wrote:

> On Mon, Mar 05, 2012 at 08:09:04 -0600, Ali Jawad wrote:
> >    Hi
> >    I did install 389 and LDAP authentication, what i need to do now is
> allow
> >    access to users only to certain systems, I did checkout :
> >
> http://directory.fedoraproject.org/wiki/Howto:Posix#How_to_set_up_host_based_access_control
> >    I tried the old method because I could not figure out the new method,
> I
> >    did enable pam_check_host_attr "did not change any pam settings
> though"
> >    and I have use_pam enabled in sshd_config, but the user was still
> able to
> >    logon through SSH even though no hosts were listed in his attributes.
> >    Please advice.
> >    Regards
>
> Hello,
>
> What version of OpenSSH are you using and how did the user authenticate?
> For example, did the user use publickey authentication instead of
> password or challenge-response? Are you calling pam_ldap in the account
> portion of your PAM stack? What do you see in the LDAP server's access
> log when the user authenticates?
>
>
> --
> Iain Morgan
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users




-- 
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120306/e7e531a0/attachment.html>

More information about the 389-users mailing list