[Mageia-sysadm] Switching to openssh match instead of using nss ldap

Maât maat-ml at vilarem.net
Sat Jun 18 07:43:03 CEST 2011

Le 15/06/2011 23:37, Michael Scherer a écrit :
> Hi,
> some months ago, Buchan proposed that we use openssh Match feature to
> force the command when connecting to ssh, instead of replacing the shell
> with nss ldap. The benefit being that we could then start to log using
> our account instead of using root, and use sudo, for auditing purpose.
> While working on setting up a secure sftp server for the artwork team, I
> looked on how we could make sure that account are chrooted in the web
> root. It seems that unlike svn or git, you cannot force the path except
> if you use ChrootDirectory.
> So this seemed the right moment to do the switch.
> I just did a test on a vm, and it still work fine ( at least on my
> account ). However, we have to do both at the same time, as forcing the
> command in ssh and ldap result in blocking everything.
> So the idea is :
> - disable the nss ldap forcing
> - add various openssh config for the various type of config we can
> have :
>  - regular ssh, only for admin ( jonund, ecosse, alamut, friteuse ) 
>  - ssh access to svn, git ( valstar ) 
>  - sftp chrooted for artwork team AND ssh access for web team
> ( champagne )
> But this would requires some lifting in the ssh module before. 
> Any comment ? 
just one comment : \o/

More information about the Mageia-sysadm mailing list