Local user controls who may SSH

Jurjen Bokma

If the user is logged in on the console or via KDM, they are allowed to edit /etc/users_allowed_ssh, in which they may list accounts allowed to SSH to their machine. The configuration files must be set like this: In /etc/security/group.conf, there must be a line

kdm|login; *; p*; Al0000-2400; sshadmin

And of course the file /etc/users_allowed_ssh must exist and have appropriate permissions and ownership:

addgroup --system sshadmin
echo "#Users listed in this file are allowed to ssh to this machine" > /etc/users_allowed_ssh
chgrp sshadmin /etc/users_allowed_ssh
chmod 660 /etc/users_allowed_ssh

The finally we need to enforce that only users listed in /etc/users_allowed_ssh may log in in. We do this in /etc/pam.d/sshd:

# auth methods here are independent of /etc/users_allowed_ssh
auth requisite pam_listfile.so onerr=fail item=user sense=allow file=/etc/users_allowed_ssh
# auth methods here only evaluated if user listed in /etc/users_allowed_ssh