[Mageia-sysadm] Switching to openssh match instead of using nss ldap

Sat Jun 18 07:43:03 CEST 2011

Le 15/06/2011 23:37, Michael Scherer a écrit :
+> Hi,
+>
+> some months ago, Buchan proposed that we use openssh Match feature to
+> force the command when connecting to ssh, instead of replacing the shell
+> with nss ldap. The benefit being that we could then start to log using
+> our account instead of using root, and use sudo, for auditing purpose.
+>
+> While working on setting up a secure sftp server for the artwork team, I
+> looked on how we could make sure that account are chrooted in the web
+> root. It seems that unlike svn or git, you cannot force the path except
+> if you use ChrootDirectory.
+>
+> So this seemed the right moment to do the switch.
+>
+> I just did a test on a vm, and it still work fine ( at least on my
+> account ). However, we have to do both at the same time, as forcing the
+> command in ssh and ldap result in blocking everything.
+>
+> So the idea is :
+> - disable the nss ldap forcing
+> - add various openssh config for the various type of config we can
+> have :
+>
+>  - regular ssh, only for admin ( jonund, ecosse, alamut, friteuse ) 
+>  - ssh access to svn, git ( valstar ) 
+>  - sftp chrooted for artwork team AND ssh access for web team
+> ( champagne )
+>
+> But this would requires some lifting in the ssh module before. 
+>
+> Any comment ? 
+just one comment : \o/
+
+
+