[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Jessie/HowTo/AdvancedAdministration" by WolfgangSchweer
Debian Wiki
debian-www at lists.debian.org
Mon Nov 24 14:03:51 UTC 2014
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.
The "DebianEdu/Documentation/Jessie/HowTo/AdvancedAdministration" page has been changed by WolfgangSchweer:
https://wiki.debian.org/DebianEdu/Documentation/Jessie/HowTo/AdvancedAdministration?action=diff&rev1=2&rev2=3
Comment:
add howto 'restrict ssh login'.
Now users should be able to access the files on 'nas-server.intern' directly by just visiting the '/tjener/nas-server/storage/' directory using any application on any workstation, LTSP client or LTSP server.
+
+ == Restrict ssh login access ==
+
+ There are several ways to restrict ssh login, some are listed here.
+
+ === Setup without LTSP clients ===
+
+ If no LTSP clients are used a simple solution is to create a new group (say {{{sshusers}}})
+ and to add a line to the machine's /etc/ssh/sshd_config file.
+ Only members of the {{{sshusers}}} group will then be allowed to ssh into
+ the machine from everywhere.
+
+ Managing this case with GOsa is quite simple:
+ * Create a group {{{sshusers}}} on the root level (where already other system management related groups like
+ 'gosa-admins' show up).
+ * Add users to the new group {{{sshusers}}}.
+ * Add {{{AllowGroups sshusers}}} to /etc/ssh/sshd_config.
+ * Execute {{{service ssh restart}}}.
+
+ === Setup with LTSP clients ===
+
+ The default LTSP client setup uses ssh connections to the LTSP server.
+ So a different approach using PAM is needed.
+ * Enable pam_access.so in the LTSP server's /etc/pam.d/sshd file.
+ * Configure /etc/security/access.conf to allow connections for (sample) users alice, jane, bob and john from everywhere and for all other users only from the internal networks by adding these lines:
+ {{{
+ + : alice jane bob john : ALL
+ + : ALL : 10.0.0.0/8 192.168.0.0/24 192.168.1.0/24
+ - : ALL : ALL
+ #}}}
+
+ If only dedicated LTSP servers are used, the 10.0.0.0/8 network could be dropped to disable internal ssh login access. Note: someone pluging in his box into the dedicated LTSP client network(s) will gain ssh access to the LTSP server(s) as well.
+
+ === A note for more complex setups ===
+
+ If LTSP clients were attached to the backbone network 10.0.0.0/8 (combi
+ server or LTSP cluster setup) things would be even more complicated and
+ maybe only a sophisticated DHCP setup (in LDAP) checking the vendor-class-identifier together with apropriate PAM configuration would allow to disable internal ssh login.
+
More information about the debian-edu-commits
mailing list