Danny,
Thanks for the response, ended up going with pam_listfile which seems to be working well so far.
- Justin Lintz
On Fri, Jan 16, 2009 at 6:15 PM, Danny Sauer
<dannysauer.com@gmail.com> wrote:
Sorry for the slow response, but I figured this still may be useful. You could use the pam_succeed_if module, which can use "user ingroup <grp>". Stack a few of those as sufficient near the bottom of your stack, or use the "skip=n" method discussed in the man page for pam_succeed_if.
Or, use pam_access to use access.conf for this stuff
Or use a non-RFC group (no GID, not in the posixGroup objectclass, etc) to simply group users together without putting everyone in a Unix-accessible group.
--Danny
Justin Lintz wrote:
Hi,
I see that it's not possible to put multiple groups in pam_groupdn and
I was wondering if there is a workaround solution for allowing users
of multiple groups to access a server? I saw a couple years ago in
the archives someone mentioned a patch they wrote for multiple
pam_groupdns but that doesn't seem ideal to use in a large scale
deployment and would cause issues with future upgrades. Currently as
a workaround I'm using sshd's AllowGroups setting and not doing any
filtering at the pam leve. The only problem with this is now if I
have any other application that uses pam for authentication (ie.
vsftpd) it won't have any restrictions on who can login.
- Justin Lintz
