login restriction

Franco Milicchio senseiwa at mac.com
Wed Mar 12 06:57:52 EDT 2008


On Mar 12, 2008, at 11:43 AM, Roberto C. Sánchez wrote:

> On Wed, Mar 12, 2008 at 10:29:07AM +0100, Marcin N wrote:
>> Hello again
>> I'm wondering if it is possible to make restriction on which hosts  
>> users
>> authorized by kerberos can log on.
>> For now only users who have local account (so they are in /etc/ 
>> password
>> and /etc/shadow) can log in to the machine.
>> But is there possibility to control it via any kind of access list or
>> something like that - which would be managed on kdc?
>> i would like to have all users local accounts on every machine and
>> decide which user can log to specific machine by setting it on kdc...
>> is it possible?
>>
> Kerberos is for authentication, not authorization.  You use something
> like LDAP for authorization.

Or use PAM with groups (either on LDAP or in /etc).



More information about the Kerberos mailing list