| View previous topic :: View next topic |
| Author |
Message |
Sedrik
l33t
Joined: 08 Apr 2005
Posts: 655
Location: Uppsala, Sweden
|
 Posted: Fri Jul 21, 2006 5:43 am Post subject: Deny certain users access to a host [Solved] |
 |
|
Hi all
I'm playing around with OpenLDAP and it is working quite nice =) Now I have a request that I have not been able to find a good answer to yet. I want to be able to deny certain users access to certain hosts (or allow access to certain users). How can I do this?
I was looking at different ACL rules inside of the LDAP directory but no luck there so far. Now I was thinking if I could use the host.deny/allow files to be able to do this. I was thinking something like, if user_is_member_of_certain_group then allow access else deny
Could someone assist me in setting this up? other suggestions is welcommed to. =)
Last edited by Sedrik on Sun Jul 23, 2006 8:40 am; edited 1 time in total |
|
| Back to top |
|
 |
firesox
Tux's lil' helper
Joined: 24 Nov 2005
Posts: 132
|
| Posted: Fri Jul 21, 2006 10:41 am Post subject: |
|
|
| Try the file /etc/security/access.conf. |
|
| Back to top |
|
|
dontremember
Apprentice
Joined: 21 Sep 2002
Posts: 151
Location: Oklahoma
|
| Posted: Fri Jul 21, 2006 11:18 am Post subject: |
|
|
Don't do what this joker in Data Security did where I work. He wanted to stop certain userids from logging in on a system and got as far as reading about /etc/nologin: "If this file exists, people can't login". So, he loaded up /etc/nologin with the list of names, then logged out to test it...
I got this panicked phone call from his boss: "Um, we've screwed up this production system and now nobody can login. Can you fix it??"
The box was headless, which made it tricky to login on the console. Luckily this before they shutdown the rexec port and I was able to remove the offending file. The manager said, "I don't even want to know how you did that..." |
|
| Back to top |
|
|
Sedrik
l33t
Joined: 08 Apr 2005
Posts: 655
Location: Uppsala, Sweden
|
| Posted: Fri Jul 21, 2006 11:57 am Post subject: |
|
|
| firesox wrote: | | Try the file /etc/security/access.conf. |
Ok will have a look at it, thanks 
| dontremember wrote: | Don't do what this joker in Data Security did where I work. He wanted to stop certain userids from logging in on a system and got as far as reading about /etc/nologin: "If this file exists, people can't login". So, he loaded up /etc/nologin with the list of names, then logged out to test it...
I got this panicked phone call from his boss: "Um, we've screwed up this production system and now nobody can login. Can you fix it??"
The box was headless, which made it tricky to login on the console. Luckily this before they shutdown the rexec port and I was able to remove the offending file. The manager said, "I don't even want to know how you did that..." |
Haha, smart guy ^^ wouldn't a live cd had helped to? or did they not want to turn it off? |
|
| Back to top |
|
|
dontremember
Apprentice
Joined: 21 Sep 2002
Posts: 151
Location: Oklahoma
|
| Posted: Fri Jul 21, 2006 12:11 pm Post subject: |
|
|
| Sedrik wrote: | | Haha, smart guy ^^ wouldn't a live cd had helped to? or did they not want to turn it off? |
Well, on most Unix systems part of the boot sequence removes the /etc/nologin file, if it exists. In Gentoo, that's handled by /etc/init.d/rmnologin.
The system in question was a production financial system, middle of the week, during month-end closing, if I recall correctly. All kinds of people would have been seriously irritated if it had to be booted the hard way - by cycling the power. |
|
| Back to top |
|
|
Sedrik
l33t
Joined: 08 Apr 2005
Posts: 655
Location: Uppsala, Sweden
|
| Posted: Sun Jul 23, 2006 8:40 am Post subject: |
|
|
| dontremember wrote: | | Sedrik wrote: | | Haha, smart guy ^^ wouldn't a live cd had helped to? or did they not want to turn it off? |
Well, on most Unix systems part of the boot sequence removes the /etc/nologin file, if it exists. In Gentoo, that's handled by /etc/init.d/rmnologin.
The system in question was a production financial system, middle of the week, during month-end closing, if I recall correctly. All kinds of people would have been seriously irritated if it had to be booted the hard way - by cycling the power. |
Ok good that you were able to log on then =)
Btw, access.conf works great  Users can now be denied access depending on which group I place them under in my LDAP directory. Lovley |
|
| Back to top |
|
|
dontremember
Apprentice
Joined: 21 Sep 2002
Posts: 151
Location: Oklahoma
|
| Posted: Sun Jul 23, 2006 3:01 pm Post subject: |
|
|
| Sedrik wrote: |
Ok good that you were able to log on then =)
|
You can send commands through the rexec port. It requires a userid and password, but doesn't check the /etc/nologin file... It allows root access too, at least Solaris 5.6 did back then. |
|
| Back to top |
|
|
|
Networking & Security
