Avatar of notips
notips
 asked on

limited linux user access to certain machines

I have over 20 Linux machines here in the LAN. How do I limit users access to certain machines. For example, user "john" can only access to machines, 1,2 and 3 but not 4-20. Thanks!
Linux Networking

Avatar of undefined
Last Comment
legolasthehansy

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
legolasthehansy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
pmasotta

just create on machine X only the users that are allowed to use machine X
SOLUTION
wesly_chen

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
notips

ASKER
can you give an example on the sshd_config? thanks!
notips

ASKER
3. On group1 machines, the /etc/security/access.conf has
+: hgroup1 : ALL
- : ALL EXCEPT hgroup1: ALL

all the machines are in nis environment. is that mean i have to create groups in all the machines? can i just use the usernames?
for example:
+:user1 user2:ALL
-:ALL EXCEPT user1 user2:ALL
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
notips

ASKER
if i just use +:user1 user2:ALL, is it by default deny access from all others?
wesly_chen

> all the machines are in nis environment. is that mean i have to create groups in all the machines?
Only need to add to  NIS group tale, no need to local /etc/group.
Do you use netgroup in NIS?

> +:user1 user2:ALL
> -:ALL EXCEPT user1 user2:ALL
User is OK. As my experience, use group will be easier. But it is up to you.
notips

ASKER
I have just tried to deny access from "root" but it's not working. The "root" can still ssh to the machine.
- : root : ALL
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
wesly_chen

Does your /etc/pam.d/login have this line to activate the /etc/security/access.conf file in PAM:
--------------
# add login restrictions (access.conf)
account required pam_access.so
-------------

If not, please add it.
     
notips

ASKER
I've put just put it in but still does not work
legolasthehansy

AllowUsers
             This keyword can be followed by a list of user name patterns, separated by spaces.  If specified, login is allowed only for user
             names that match one of the patterns.  â*â and â?â can be used as wildcards in the patterns.  Only user names are valid; a
             numerical user ID is not recognized.  By default, login is allowed for all users.  If the pattern takes the form USER@HOST then
             USER and HOST are separately checked, restricting logins to particular users from particular hosts.

From man sshd_config

You may also use DenyUsers
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes