|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Hi,I've been trying to implement netgroup based centralized authentication control with pam. The downside of using pam_access with @users@@hosts syntax is that when you have a group of users and group of hosts, it seems all the users are allowed to log in to those hosts in defined group. Therefor that requires configuration on every host - a host has to know which group to honor. pam_acces doesn't seem to check the host entry in triple neither.
A little exploration showed pam_succeed_if seems to have "innetgr" option so I thought it would have been the solution which it wasn't as PAM_RHOST is given as an argument to innetgr() instead of local host name so it would have been possible to limit the hosts users can log in from but not where users can log in to. So my question is, is there any standard pam module with netgroup checking capabilities except pam_access? The one that would allow using machine's own hostname in innetgr -call instead od PAM_RHOST? With one, one could pretty easily centralize login access control - in this case to ldap as the machines are already authenticating from there - without the need to have different configurations on different machines. Instead you would be able to write user and host pairs to ldap without touching the servers.
-lassi _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list