[Mageia-sysadm] Switching to openssh match instead of using nss ldap
Maât
maat-ml at vilarem.net
Sat Jun 18 07:43:03 CEST 2011
Le 15/06/2011 23:37, Michael Scherer a écrit :
> Hi,
>
> some months ago, Buchan proposed that we use openssh Match feature to
> force the command when connecting to ssh, instead of replacing the shell
> with nss ldap. The benefit being that we could then start to log using
> our account instead of using root, and use sudo, for auditing purpose.
>
> While working on setting up a secure sftp server for the artwork team, I
> looked on how we could make sure that account are chrooted in the web
> root. It seems that unlike svn or git, you cannot force the path except
> if you use ChrootDirectory.
>
> So this seemed the right moment to do the switch.
>
> I just did a test on a vm, and it still work fine ( at least on my
> account ). However, we have to do both at the same time, as forcing the
> command in ssh and ldap result in blocking everything.
>
> So the idea is :
> - disable the nss ldap forcing
> - add various openssh config for the various type of config we can
> have :
>
> - regular ssh, only for admin ( jonund, ecosse, alamut, friteuse )
> - ssh access to svn, git ( valstar )
> - sftp chrooted for artwork team AND ssh access for web team
> ( champagne )
>
> But this would requires some lifting in the ssh module before.
>
> Any comment ?
just one comment : \o/
More information about the Mageia-sysadm
mailing list