Today the Systems trade fair started in Munich. This year the Systems spans five halls. The same size as in 2007.
The most interesting hall this year was hall B3. The IT security hall, which covers one of the most important topics in IT business today.
Together with one of it's partners the Rittal company showed the world smallest computing center. Only one rack, but it includes a climate control unit and a fire extinguishing equipment. The rack is also protected against common risks like fire (outside the rack) and thief's.
At the stand of the Federal Office for Information Security (BSI) I got very good information about security certifications. They offer a lot of standard procedures to introduce IT security processes in companies.
In the open source area I found a lot of very well known people from the German company SerNet. Karolin Seeger and Volker Lendecke talked about the news around the Samba server. Nearby the Debian project informed about the upcoming Lenny release.
A big topic on this years System was also virtualisation. I was able to compare different solutions from different vendors. Parallels Virtuzzo and Citrixs XenServer seemed to be the big players in addition to VMware. Unfortunately, Google did not show their Xen based Ganeti cluster software, which I was really interested in.
I also met a lot of friends and well known people on the systems. So we found much time to exchange experiences and to squall the stand people with our questions together.
At the end of the day it was a nice trade fair without really big news. But I was able to take a more detailed look on some interesting products.
2008-10-21
2008-10-20
Restrict user logins with pam_listfile
In some situations it can be useful to allow a direct ssh login only to a hand full of privileged users or groups. A typical scenario could be a web server or a mail server which is included into a LDAP framework. In this case all users in your directory may be able to login by default.
A very flexible and easy way to restrict the login is the pam_listfile module. It allows you to restrict the login to single users or groups. The allowed users and/or groups are listed in a simple configuration file. One entry per line. Thats all.
But first you have to change your pam (for the noobs: pam == pluggable authentication modules) configuration a little bit. Here you can see a simplified configuration for the sshd login on a debian box:
At least add all groups, which should be able to login, to the /etc/logingroups file. Don't forget to add the root group if you want allow root logins via ssh.
You can do the same with users. Simply change item=group into item=user and choose another name for the file attribute.
There may be other possibilities to restrict logins, but I believe this one is really elegant. Naturally, you can use the module also with other pam based services (eg login) too.
A very flexible and easy way to restrict the login is the pam_listfile module. It allows you to restrict the login to single users or groups. The allowed users and/or groups are listed in a simple configuration file. One entry per line. Thats all.
But first you have to change your pam (for the noobs: pam == pluggable authentication modules) configuration a little bit. Here you can see a simplified configuration for the sshd login on a debian box:
# PAM configuration for the Secure Shell service
# Allow only users who are in the groups listed in /etc/logingroups
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/logingroups
# Standard Un*x authentication.
@include common-auth
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Standard Un*x password updating.
@include common-password
At least add all groups, which should be able to login, to the /etc/logingroups file. Don't forget to add the root group if you want allow root logins via ssh.
You can do the same with users. Simply change item=group into item=user and choose another name for the file attribute.
There may be other possibilities to restrict logins, but I believe this one is really elegant. Naturally, you can use the module also with other pam based services (eg login) too.
Lets go!
Today I started the IT Futtzy blog and I went into the new Web 2.0 world. What is Web 2.0? Most people believe it has to do something with technics. But for me the main idea behind Web 2.0 is that everybody is able to add content.
So this should be a place were I want to share my experiences in different IT topics with the worldwide Internet community. I hope there are a lot of people outside who will be happy to get some information from this blog.
So this should be a place were I want to share my experiences in different IT topics with the worldwide Internet community. I hope there are a lot of people outside who will be happy to get some information from this blog.
Subscribe to:
Posts (Atom)