Re: PAM and SSH
- From: Darren Tucker <dtucker@xxxxxxxxxx>
- Date: Sun, 19 Mar 2006 11:15:25 +1100
On Sat, Mar 18, 2006 at 01:17:19PM -0500, Ron Wheeler wrote:
It does not seem to work.
It appears that for sshd, sshusers would have to be their primary group
and it is not.
sshd checks the supplemental group ids by using getgrouplist. Is it
possible that your system doesn't return those (eg if the data source
isn't listed in nsswitch.conf?)
It also appears that the Allow* directives act like seives. You have to
pass all of the specified criteria to get in.
This means they would have be in the right group AND local rather than
OR which is what I need.
Not exactly. Once you have either of AllowUsers or AllowGroups then
the entire list of that type of directive will be checked before any
login not matching at least one rule of that type is denied.
So it's a logical OR within types and a logical AND across types. That's
why I suggested using two AllowGroups directives in my follow-up post.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- References:
- RE: PAM and SSH
- From: Ron Wheeler
- RE: PAM and SSH
- Prev by Date: Re: updating expired passwords following ssh login, user advisory
- Next by Date: RE: PAM and SSH
- Previous by thread: RE: PAM and SSH
- Next by thread: RE: PAM and SSH
- Index(es):
Relevant Pages
|
