We used PAM (compiled into the RedHat RPMs) to do this. Adding pam_access.so to /etc/pam.d/ssh, and editing /etc/access.conf to contain the group of users that's allowed to log in. Works pretty well, though I did have to fix up the PAM patch a bit. Vince [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Original Article: http://www.egroups.com/group/ssh/?start=9082 > Ernest Cespedes writes: > > I tried to configure tcp_wrappers/ssh2 to authenticate user log ins based > > on usernames. In the TCP wrappers hosts_access man pages, it states that > > you should be able to use > > > > ssh2 : username@host in the /etc/allow.hosts file > > > > to restrict users from logging in. For example, if I only want a selected > > authorized users to log in to my server, use the above format to allow > > access. This method makes it even more difficult if remote users are using > > their ISP via dial-in to login remotely to the server. Their hostnames and > > IP address are dynamic. Log file shows that the user is always "UNKNOWN" > > and tcp_wrappers rejects the user from logging in. > > All the username@host does in the above case is send an IDENT query to the > incoming host to get the username of the person on *that* machine trying to > log into *your* machine. However, the majority of machines out there are > not running an IDENT server, mainly because they are probably a PC or MAC > oriented type machine. Consequently, the username will be filled in with > "UNKNOWN". > > A couple other things need to be considered. First, I don't recall if you > have to compile in the IDENT lookup code or not when you first configure the > tcp wrapper before compiling. It has been a long time for me, so I don't > remember. Secondly, the above does limit access even more, but IDENT stuff > can be spoofed as well. Who says that the IDENT server on the other side > has to tell the truth when asked who the user of a particular connection is? > Thirdly, the above is most useful when you specify a host that you *know* > is running an IDENT server and *does* have a specific user logged on. This > probably would be the case for only the hosts in your organization. > > Anyways, I don't know what your "host" is. You may very well be running > IDENT servers on your machines and the "host" was one of your organization's > machines... *shrugs* If that is the case, then some other problem exists. > > Hope that helps! > Scott
