You need enabled pam_access module first. Uncomment the following line in
/etc/pam.d/login and
/etc/pam.d/sshd files:
account required pam_access.so
Secure Administrative Logins
Modify
/etc/security/access.conf to disallow remote logins to administrative accounts, disallow local logins to non-administrative account. The order of entries is
important:
#
# Disallow non-root logins on tty1
#
- : ALL EXCEPT root : tty1
#
# Allow root login on tty1
+ : root : tty1
#
# Disallow console logins
- : ALL : LOCAL
#
# ...
#
# User "root" should be denied to get access from all
# other sources
- : root : ALL
Secure Network Logins
Setup a group to control users who can access the system remotely (via ssh).
groupadd -r sshusers
Modify
/etc/security/access.conf in order to allow only
sshusers group network access.
# Allow group 'sshusers' get access from everythere
+ : (sshusers) : ALL
#
# All other users should be denied to get access from
# all sources.
- : ALL : ALL
Add users to group
sshusers:
usermod -a -G sshusers user1
The changes take place immediately, you do not have to reboot.
No comments :
Post a Comment