LinuxQuestions.org - Allow only one AD group to use ssh

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Allow only one AD group to use ssh (https://www.linuxquestions.org/questions/linux-security-4/allow-only-one-ad-group-to-use-ssh-780650/)

Allow only one AD group to use ssh

We have a linux(SUSE 10) server that authenticates against AD(Windows 2003). Problem is anyone with an AD account can ssh in to the server. We don't want anyone to be able to login via ssh only the users in one particular group.

I have tried editing the sshd_config file and adding the group to AllowGroups but this doesn't work. I have searched google and have not had much luck in finding anything.

Please help.

I use AllowUsers <my_username>, seem to work great, i thought AllowGroups shall work the same way.
did you restart sshd? try to start it in verbose mode and check the outputs when you connect: why would it allow to login.

Quote:

Originally Posted by apphex8 (Post 3817993)

We have a linux(SUSE 10) server that authenticates against AD(Windows 2003).

Thats cool, how did you do that?

Quote:

Originally Posted by Web31337 (Post 3818092)

did you put your domain\\username or just your username? yes i restarted the sshd after each change i made to the sshd_config file.

manual for AllowUsers says:

Quote:

This keyword can be followed by a list of user name patterns, separated by spaces.

Why would i possibly want a domain name(in a weird form) there?
In this context i only have AllowUsers <my_username> and it only allows my account to login, all others get permission denied, as expected.
Please, pastebin your sshd_config and try running sshd in verbose mode and then try connecting it and copy that outputs also.

Quote:

Originally Posted by Web31337 (Post 3818488)

manual for AllowUsers says:

Why would i possibly want a domain name(in a weird form) there?

Because i tried everything else.

Quote:

In this context i only have AllowUsers <my_username> and it only allows my account to login, all others get permission denied, as expected.
Please, pastebin your sshd_config and try running sshd in verbose mode and then try connecting it and copy that outputs also.

Below is a snippet of my sshd_config

Code:

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication mechanism.

# Depending on your PAM configuration, this may bypass the setting of

# PasswordAuthentication, PermitEmptyPasswords, and

# "PermitRootLogin without-password". If you just want the PAM account and

# session checks to run without PAM authentication, then enable this but set

# ChallengeResponseAuthentication=no

UsePAM yes



AllowUsers da_xxxxxxxxx



#AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

da_xxxxxxxx is my domain username. i also tried domain\\da_xxxxxx , domain\da_xxxxxxx, domain+da_xxxxxxxx

and that still allows other users to log in?
you didn't post your entire config, do you have some other rules there(allowgroup,denygroup,denyusers)?
did you try running sshd in verbose(-v) mode and see why is that happening?

Quote:

Originally Posted by Web31337 (Post 3819447)

No it doesn't allow anyone in.

I don't have any other deny or allow statements

If I look at var/log/messages it just says illegal user.

weird.
well, this is my config, it only allows my username in: http://codepad.org/Mg9kGXsp
hope this helps.
here, when i try to log in as 'nonadm', it fails and writes this kind of stuff into /var/log/auth.log (deb):

Code:

Jan 10 04:31:36 srvr sshd[14355]: User nonadm from 94.41.*.* not allowed because not listed in AllowUsers

Jan 10 04:31:36 srvr sshd[14355]: Failed none for invalid user nonadm from 94.41.*.* port 14578 ssh2