Hi all,
I have the following lines in my file /etc/security/access.conf for the purpose of my
testing.
- : bryan.harris.adm : ALL
- : ALL : ALL
When I place the following into /etc/pam.d/sshd I can prevent my login. The error is
"pam_access(sshd:account): access denied for user `bryan.harris.adm' from"
which looks like exactly what I want to see.
account required pam_access.so
When I place the following into /etc/pam.d/sshd I can once again login just fine and
access.conf seems to be ignored.
account required pam_access.so listsep=,
The motivation is that I want to only allow the AD group "Linux Admins" (without
quotes) to be able to login. So eventually I want to get a line like - : @Linux Admins :
ALL into my /etc/security/access.conf file.
Can anyone explain how I can make this work properly? I doubt I can convince the Windows
guys to not use spaces in their group names but I could try.
Or is it better for me to just use ldap_access_filter and leave the security up to sssd?
The reason I looked into access.conf was to have another security layer "just in
case", but if that's redundant and unnecessary than I suppose I don't need
any of this anyway.
Bryan
Show replies by date