[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Jessie/HowTo/AdvancedAdministration" by WolfgangSchweer

Mon Nov 24 14:03:51 UTC 2014

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.

The "DebianEdu/Documentation/Jessie/HowTo/AdvancedAdministration" page has been changed by WolfgangSchweer:
https://wiki.debian.org/DebianEdu/Documentation/Jessie/HowTo/AdvancedAdministration?action=diff&rev1=2&rev2=3

Comment:
add howto 'restrict ssh login'.

  Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP client or LTSP server.

+ 
+ == Restrict ssh login access ==
+ 
+ There are several ways to restrict ssh login, some are listed here.
+ 
+ === Setup without LTSP clients ===
+ 
+ If no LTSP clients are used a simple solution is to create a new group (say {{{sshusers}}})
+ and to add a line to the machine's /etc/ssh/sshd_config file.
+ Only members of the {{{sshusers}}} group will then be allowed to ssh into
+ the machine from everywhere.
+ 
+ Managing this case with GOsa is quite simple: 
+  * Create a group {{{sshusers}}} on the root level (where already other system management related groups like
+     'gosa-admins' show up).
+  * Add users to the new group {{{sshusers}}}.
+  * Add  {{{AllowGroups sshusers}}} to /etc/ssh/sshd_config.
+  * Execute {{{service ssh restart}}}.
+ 
+ === Setup with LTSP clients ===
+ 
+ The default LTSP client setup uses ssh connections to the LTSP server.
+ So a different approach using PAM is needed.
+  * Enable pam_access.so in the LTSP server's /etc/pam.d/sshd file. 
+  * Configure /etc/security/access.conf to allow connections for (sample) users alice, jane, bob and john from everywhere and for all other users only from the internal networks by adding these lines:
+ {{{
+ + : alice jane bob john : ALL
+ + : ALL : 10.0.0.0/8 192.168.0.0/24 192.168.1.0/24
+ - : ALL : ALL
+ #}}}
+ 
+ If only dedicated LTSP servers are used, the 10.0.0.0/8 network could be dropped to disable internal ssh login access. Note: someone pluging in his box into the dedicated LTSP client network(s) will gain ssh access to the LTSP server(s) as well.
+ 
+ === A note for more complex setups ===
+ 
+ If LTSP clients were attached to the backbone network 10.0.0.0/8 (combi 
+ server or LTSP cluster setup) things would be even more complicated and 
+ maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with apropriate PAM configuration would allow to disable internal ssh login.
+ 