> On all my systems I create a "remote" group and add only those users who
> are responsible enough to have shell access. Then
> in /etc/ssh/sshd_config I add the following:
>
> PermitRootLogin no
> AllowGroups remote
Mentioned this on another thread, but it's relevant here too. You can
do the same thing but have it affect all PAM-enabled services by
putting something like the following in /etc/security/access.conf
-:ALL EXCEPT remotees:ALL EXCEPT LOCAL
This denies access ("-") to everyone except members of the remotees
group ("ALL EXCEPT remotees") trying to access the system through any
means other than sitting down at the console ("ALL EXCEPT LOCAL").
Because of the (IMO) rather clumsy syntax of this file, be aware that
this will not have the intended results in the unlikely event that a
user named "remotees" exists.
--Brad
