If the user is logged in on the console or via KDM, they are allowed to edit /etc/users_allowed_ssh
, in which they may list accounts allowed to SSH to their machine.
The configuration files must be set like this:
In /etc/security/group.conf
, there must be a line
<snip> kdm|login; *; p*; Al0000-2400; sshadmin
And of course the file /etc/users_allowed_ssh
must exist and have appropriate permissions and ownership:
addgroup --system sshadmin
echo "#Users listed in this file are allowed to ssh to this machine" > /etc/users_allowed_ssh
chgrp sshadmin /etc/users_allowed_ssh
chmod 660 /etc/users_allowed_ssh
The finally we need to enforce that only users listed in /etc/users_allowed_ssh
may log in in.
We do this in /etc/pam.d/sshd
:
<snip> # auth methods here are independent of /etc/users_allowed_ssh auth requisite pam_listfile.so onerr=fail item=user sense=allow file=/etc/users_allowed_ssh # auth methods here only evaluated if user listed in /etc/users_allowed_ssh <snip>