====== User Access Control for users ======
Do not use multiple ways, only one to prevent conflicts
===== PAM =====
Applies to all users (local or not)
/etc/security/access.conf
+:root:LOCAL
+:@rhel-app-wirefeed:ALL
-:ALL:ALL
To see which PAM-based services are using it:
# grep pam_access.so /etc/pam.d/*-auth
/etc/pam.d/fingerprint-auth:account required pam_access.so
/etc/pam.d/password-auth:account required pam_access.so
/etc/pam.d/smartcard-auth:account required pam_access.so
/etc/pam.d/system-auth:account required pam_access.so
===== SSSD =====
Applies only to LDAP users
SSSD configuration file (/etc/sssd/sssd.conf) contains:
[domain/]
access_provider = simple
simple_allow_groups =
simple_allow_users = ,
And /etc/ssh/sshd_config:
AllowGroups
The LDAP configuration is working, resolving usename and groups as checked with:
# getent passwd
# getent group
===== SSH =====
How To Allow Or Deny SSH Access To A Particular User Or Group In Linux
/etc/ssh/sshd_config
...
AllowUsers user1 user2
AllowGroups root
DenyUsers sk
DenyGroups admin