Allow only one AD group to use ssh
We have a linux(SUSE 10) server that authenticates against AD(Windows 2003). Problem is anyone with an AD account can ssh in to the server. We don't want anyone to be able to login via ssh only the users in one particular group.
I have tried editing the sshd_config file and adding the group to AllowGroups but this doesn't work. I have searched google and have not had much luck in finding anything. Please help. |
I use AllowUsers <my_username>, seem to work great, i thought AllowGroups shall work the same way.
did you restart sshd? try to start it in verbose mode and check the outputs when you connect: why would it allow to login. |
Quote:
|
Quote:
|
manual for AllowUsers says:
Quote:
In this context i only have AllowUsers <my_username> and it only allows my account to login, all others get permission denied, as expected. Please, pastebin your sshd_config and try running sshd in verbose mode and then try connecting it and copy that outputs also. |
Quote:
Quote:
Code:
# and session processing. If this is enabled, PAM authentication will |
and that still allows other users to log in?
you didn't post your entire config, do you have some other rules there(allowgroup,denygroup,denyusers)? did you try running sshd in verbose(-v) mode and see why is that happening? |
Quote:
I don't have any other deny or allow statements If I look at var/log/messages it just says illegal user. |
weird.
well, this is my config, it only allows my username in: http://codepad.org/Mg9kGXsp hope this helps. here, when i try to log in as 'nonadm', it fails and writes this kind of stuff into /var/log/auth.log (deb): Code:
Jan 10 04:31:36 srvr sshd[14355]: User nonadm from 94.41.*.* not allowed because not listed in AllowUsers |
All times are GMT -5. The time now is 12:09 AM. |