Here's the original source: OpenSSH Root user account restriction - revisited .
-- “I need something that allows me to say: allow any users except root from anywhere, and root only from localhost. (over ssh session)”.
PAM offers very powerful authentication control.
You need to use the pam_access PAM module, which is mainly for access management. It provides login access control based on Login names, Host or domain names, Internet addresses, or network IP numbers, Terminal line names etc.
Why pam_access matters?
On a production server, authorized login can come from any networked computer. Therefore, it is important to have tight control over users who are allowed to connect server via OpenSSH server.
How do I configure pam_access?
You need to edit following files:
/etc/pam.d/sshd - Linux PAM configuration file.
/etc/security/access.conf - By default rules for access management are taken from configuration this file. When someone logs in, the entry in this scanned and matched against rule. You can specify whether the login will be accepted or refused to user. General syntax is as follows:
permission : username: origins
Where,
permission : Permission field should be a “+” (access granted) or “-” (access denied)character.
username : Linux system username/login name such as root, yelei etc. You can also specify group names. You can also use special keywod ALL (to match all username).
origins : It is a list of one ore more tty names, host name, IP address, domain names that begin with . or special key words ALL or LOCAL Let us say you want to allow user root and yelei login from IP address 202.54.1.20 only.
Open file /etc/security/access.conf, and append following line:
-: ALL EXCEPT root yelei:202.54.1.20
Save the file and Open /etc/pam.d/sshd file, and append following entry:
account required pam_access.so
Save and close the file.
Showing posts with label SSL. Show all posts
Showing posts with label SSL. Show all posts
Monday, April 16, 2007
Thursday, March 15, 2007
Non-secure item in a webpage accessed through HTTPS
Just got a good article about handling the pop-up message box "This page contains non-secure items, would you like to display those items?" from Scott Yang's playground .
Here's an excerpt from the article:
At work, the web application that I’ve been developing has always had this problem over a secure SSL link. On certain pages, before the document is fully loaded, a dialog box will popup telling me that “This page contains non-secure items, would you like to display those items?”. Whether I choose ‘Yes’ or ‘No’ does not really make a difference, and the application can still be executed perfectly. However, this dialog box is really annoying to the point that many people in the office has turned off this checking in their Internet Explorer preferences.
Solution:
Make Sure You Have SRC Attribute In Your IFRAME!
We have quite a few IFRAME tags in our code, either pre-generated or appended to the document using DOM. Many of them are pointing to a relative URL when they are created, however, some of them are just created as hidden place holders. They are used in DHTML to replace some DIV code because DIV does hover well above the editing widgets. They are created without a SRC attribute, because their documents are created on the fly! Because the document does not have an URL, Internet Explorer gets confused and thus yield a warning on displaying non-secure items.
It ends up as an easy fix - just create thus IFRAME’s with SRC pointing to a dummy page using a relative URL.
Here's an excerpt from the article:
At work, the web application that I’ve been developing has always had this problem over a secure SSL link. On certain pages, before the document is fully loaded, a dialog box will popup telling me that “This page contains non-secure items, would you like to display those items?”. Whether I choose ‘Yes’ or ‘No’ does not really make a difference, and the application can still be executed perfectly. However, this dialog box is really annoying to the point that many people in the office has turned off this checking in their Internet Explorer preferences.
Solution:
Make Sure You Have SRC Attribute In Your IFRAME!
We have quite a few IFRAME tags in our code, either pre-generated or appended to the document using DOM. Many of them are pointing to a relative URL when they are created, however, some of them are just created as hidden place holders. They are used in DHTML to replace some DIV code because DIV does hover well above the editing widgets. They are created without a SRC attribute, because their documents are created on the fly! Because the document does not have an URL, Internet Explorer gets confused and thus yield a warning on displaying non-secure items.
It ends up as an easy fix - just create thus IFRAME’s with SRC pointing to a dummy page using a relative URL.
Subscribe to:
Posts (Atom)