Multiple servers, restricting user commands and LDAP
Damien Miller
djm at mindrot.org
Tue Feb 22 07:56:45 EST 2005
Finlay Dobbie wrote:
>
> On 21 Feb 2005, at 20:42, Damien Miller wrote:
>> If you are using LDAP, then set posixAccount/loginShell appropriately.
>
> I know how to set a user's shell using the NIS schema. I don't see how
> that helps me, since I need to have different restricted commands for
> different hosts. If I could restrict commands by group then that'd be
> dandy.
You could have the same shell name map to different restrictions on each
host. Trivially, by symlinking the shell to the binary you want to tun
(e.g. /usr/bin/cvs) or, if you wanted to be fancy, you could make that
restricted shell look up the actual commands it is supposed to execute
in LDAP too. That way they user would get a consistent response
regardless of the method by which they logged in.
-d
More information about the openssh-unix-dev
mailing list