I updated pam_access to work for all of the PAM controls and it seems to =
be doing the job.
I still have to test it from outside the local network to be sure.

Do you know if anyone would be interested in incorporating the changes =
that I made to .77 version?

With very minor mods, they should work for the .99 version as well.

PAM seems very useful once you get into it. It does not seem to have the =
documentation that would be required for most people to get more out of =
it. Too much "inside the beltway" for the average system administrator.


I suppose in a web-centric world, there are other more obvious ways to =
skin a cat but one wonders how useful it could be if there was some =
documentation. It certainly seems like a very good idea and quite =
flexible from what I can figure out.

Thanks to everyone for the advice and encouragement. You were right, it =
can be made to do what I want.


Ron

-----Original Message-----
From: Barry Brimer [mailto:barry.brimer@bigfoot.com]
Sent: March 31, 2006 6:13 PM
To: Ron Wheeler
Subject: Re: using PAM to permit local users.


Quoting Ron Wheeler :

> I am using pam_listfile to permit a small list of users to have access =

to
> sshd no matter where they log in
> I also have to permit ssh access to any user on our local network. =

With
> listfiles I have to list every machine name on the network. This is =

bit of a
> pain.
>
> If listfiles understood wildcards, it would be ok. (*.silonex.com)
>
> To go at the problem more directly, how hard would it be to build a =

new
> plug-in to take a network description and determine if the user is =

attached
> to that network?
>
> auth required pam_localnet sense=3Dallow tests for =

192.168.x.x or
> 10.x.x.x or ??? (I think there is one other private address range)
>
> OR
>
> auth required pam_net sense=3Dallow net=3D192.168.1.0,205.151.82.0 =

test
> for an arbitrary network this is more complex but perhaps more =

useful.
>
> This would solve my problem
>
> auth [success=3D1] pam_listfile.so sense=3Dallow =

file=3D/etc/sshd/allowedusers
> auth required pam_localnet.so sense=3Dallow
> auth required pam_winbind.so
> auth required pam_nologin.so


Have you considered pam_access?

Barry