1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] Switching to openssh match instead of using nss ldap
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Switching%20to%20openssh%20match%20instead%20of%20using%20nss%20ldap&In-Reply-To=%3C1308173830.21953.24.camel%40akroma.ephaone.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="003612.html">
<LINK REL="Next" HREF="003648.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] Switching to openssh match instead of using nss ldap</H1>
<B>Michael Scherer</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Switching%20to%20openssh%20match%20instead%20of%20using%20nss%20ldap&In-Reply-To=%3C1308173830.21953.24.camel%40akroma.ephaone.org%3E"
TITLE="[Mageia-sysadm] Switching to openssh match instead of using nss ldap">misc at zarb.org
</A><BR>
<I>Wed Jun 15 23:37:10 CEST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="003612.html">[Mageia-sysadm] Fwd: Undelivered Mail Returned to Sender (apache)
</A></li>
<LI>Next message: <A HREF="003648.html">[Mageia-sysadm] Switching to openssh match instead of using nss ldap
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#3644">[ date ]</a>
<a href="thread.html#3644">[ thread ]</a>
<a href="subject.html#3644">[ subject ]</a>
<a href="author.html#3644">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Hi,
some months ago, Buchan proposed that we use openssh Match feature to
force the command when connecting to ssh, instead of replacing the shell
with nss ldap. The benefit being that we could then start to log using
our account instead of using root, and use sudo, for auditing purpose.
While working on setting up a secure sftp server for the artwork team, I
looked on how we could make sure that account are chrooted in the web
root. It seems that unlike svn or git, you cannot force the path except
if you use ChrootDirectory.
So this seemed the right moment to do the switch.
I just did a test on a vm, and it still work fine ( at least on my
account ). However, we have to do both at the same time, as forcing the
command in ssh and ldap result in blocking everything.
So the idea is :
- disable the nss ldap forcing
- add various openssh config for the various type of config we can
have :
- regular ssh, only for admin ( jonund, ecosse, alamut, friteuse )
- ssh access to svn, git ( valstar )
- sftp chrooted for artwork team AND ssh access for web team
( champagne )
But this would requires some lifting in the ssh module before.
Any comment ?
--
Michael Scherer
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="003612.html">[Mageia-sysadm] Fwd: Undelivered Mail Returned to Sender (apache)
</A></li>
<LI>Next message: <A HREF="003648.html">[Mageia-sysadm] Switching to openssh match instead of using nss ldap
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#3644">[ date ]</a>
<a href="thread.html#3644">[ thread ]</a>
<a href="subject.html#3644">[ subject ]</a>
<a href="author.html#3644">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
