Re: [389-users] Per host access

[Ali Jawad]

Hi
The users are authenticating using their passwords, pam_ldap is being
called in /etc/pam.d/system-auth. Please see

cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authsufficientpam_krb5.so use_first_pass
authsufficientpam_ldap.so use_first_pass
authrequired  pam_deny.so

Openssh version is latest stable for CentOS 5.x which
is openssh-4.3p2-72.el5_7.5

As said ldap authentication using 389 dir server works fine, I just want to
limit access to certain hosts per user.

Thanks

On Mon, Mar 5, 2012 at 8:03 PM, Iain Morgan iain.mor...@nasa.gov wrote:

 On Mon, Mar 05, 2012 at 08:09:04 -0600, Ali Jawad wrote:
 Hi
 I did install 389 and LDAP authentication, what i need to do now is
 allow
 access to users only to certain systems, I did checkout :
 
 http://directory.fedoraproject.org/wiki/Howto:Posix#How_to_set_up_host_based_access_control
 I tried the old method because I could not figure out the new method,
 I
 did enable pam_check_host_attr did not change any pam settings
 though
 and I have use_pam enabled in sshd_config, but the user was still
 able to
 logon through SSH even though no hosts were listed in his attributes.
 Please advice.
 Regards

 Hello,

 What version of OpenSSH are you using and how did the user authenticate?
 For example, did the user use publickey authentication instead of
 password or challenge-response? Are you calling pam_ldap in the account
 portion of your PAM stack? What do you see in the LDAP server's access
 log when the user authenticates?


 --
 Iain Morgan
 --
 389 users mailing list
 389-users@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/389-users




-- 
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] Per host access

[Ali Jawad]

Hi
I did install 389 and LDAP authentication, what i need to do now is allow
access to users only to certain systems, I did checkout :

http://directory.fedoraproject.org/wiki/Howto:Posix#How_to_set_up_host_based_access_control

I tried the old method because I could not figure out the new method, I did
enable pam_check_host_attr did not change any pam settings though and I
have use_pam enabled in sshd_config, but the user was still able to logon
through SSH even though no hosts were listed in his attributes.

Please advice.

Regards
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Per host access

[Iain Morgan]

On Mon, Mar 05, 2012 at 08:09:04 -0600, Ali Jawad wrote:
Hi
I did install 389 and LDAP authentication, what i need to do now is allow
access to users only to certain systems, I did checkout :

 http://directory.fedoraproject.org/wiki/Howto:Posix#How_to_set_up_host_based_access_control
I tried the old method because I could not figure out the new method, I
did enable pam_check_host_attr did not change any pam settings though
and I have use_pam enabled in sshd_config, but the user was still able to
logon through SSH even though no hosts were listed in his attributes.
Please advice.
Regards

Hello,

What version of OpenSSH are you using and how did the user authenticate?
For example, did the user use publickey authentication instead of
password or challenge-response? Are you calling pam_ldap in the account
portion of your PAM stack? What do you see in the LDAP server's access
log when the user authenticates?


-- 
Iain Morgan
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users