[Mageia-sysadm] Switching to openssh match instead of using nss ldap

Michael Scherer misc at zarb.org
Wed Jun 15 23:37:10 CEST 2011


Hi,

some months ago, Buchan proposed that we use openssh Match feature to
force the command when connecting to ssh, instead of replacing the shell
with nss ldap. The benefit being that we could then start to log using
our account instead of using root, and use sudo, for auditing purpose.

While working on setting up a secure sftp server for the artwork team, I
looked on how we could make sure that account are chrooted in the web
root. It seems that unlike svn or git, you cannot force the path except
if you use ChrootDirectory.

So this seemed the right moment to do the switch.

I just did a test on a vm, and it still work fine ( at least on my
account ). However, we have to do both at the same time, as forcing the
command in ssh and ldap result in blocking everything.

So the idea is :
- disable the nss ldap forcing
- add various openssh config for the various type of config we can
have :

 - regular ssh, only for admin ( jonund, ecosse, alamut, friteuse ) 
 - ssh access to svn, git ( valstar ) 
 - sftp chrooted for artwork team AND ssh access for web team
( champagne )

But this would requires some lifting in the ssh module before. 

Any comment ? 
-- 
Michael Scherer



More information about the Mageia-sysadm mailing list