--
Fabio Venturi
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_group.html
It does not come by default with RH, but it compiles fine. You don't set it
up for global acces, but only for telnet and ssh and only allow a small
number of users (say users members of the group cvsadmin) to login to the box.
--
Yves.
http://www.SollerS.ca
Yves,
would you mind explaining how that can be used to prevent the user from
executing programs other than cvs through the ssh connection?
I ask be cause I am interested in the capability too, but did not see (while
reading that page) how sag-pam_group accomplished the above.
Fabio,
From the googles I have done, I am seeing the following as options:
Authprogs:
http://www.hackinglinuxexposed.com/articles/20030115.html
authorized_keys tweaking:
http://www.hackinglinuxexposed.com/articles/20030109.html
ForceCommand & Match:
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
I have not used any of them yet.
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
> would you mind explaining how that can be used to
> prevent the user from executing programs other than
> cvs through the ssh connection?
I think the solution was to use pserver for everyone except cvsadmin who
would have access via ssh.
What you are asking is an ssh configuration question - and the answer
will vary a little from ssh version to version (even across different
versions of openssh I believe). A quick post on the correct forum
should do the trick ;)
On HPUX putting 'exit' in each persons .profile (or presumably a test
then exit in /etc/profile) does the trick, however this may still allow
scp (can't remember). The same would presumably work on linux but you'd
need to use the .bash_profile or something...
Regards,
Arthur
Fabio says his users authenticate through kerberos, so I assumed gssapi,
maybe I got that wrong.... If you do use gssapi, then you do not use ssh for
the cvs connection at all, then it is not an issue to disable ssh connection
for users that only need to use the box via cvs, rather than log in.
--
Yves.
http://www.SollerS.ca