LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-02-2009, 01:39 PM   #1
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Rep: Reputation: 17
OpenLDAP-based SSH login by groups


I'm in the process of setting up our environment to use OpenLDAP for SSH login authentication.

I've got it working in our test environment but it currently allows anyone with an OpenLDAP account to login. I would like to restrict access to servers based on groups.

For example, I'd like to use the existing default structure. If a user is in the dev group, let them in.

cn=dev,ou=Groups,dc=domain,dc=com

I'm pretty new to LDAP so my understanding of how it organizes things is limited. I've seen some guides that recommend a large number of changes to the LDAP structure which I'd like to avoid.

Is there an easy way to implement this?
 
Old 11-02-2009, 01:48 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
Well a big thing you (apparently) would benefit from appreciating is the abstraction involved. When you log in, the source of the user account is totally irrelevant. You would not filter against an LDAP group at all, just a group, as listed by the response to the command "getent group" - divide and conquer!

MY preferred way to do this is to add that group requirement to /etc/security/access.conf, but other users would suggest you use the "AllowGroups" directive in /etc/ssh/sshd_config

As far as the LDAP stuff really goes, as long as you do have full posix accounts within LDAP, which you should, then there's really not much else to require, what have you been reading that suggests otherwise?
 
Old 11-02-2009, 01:59 PM   #3
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Original Poster
Rep: Reputation: 17
I've tried using access.conf and users can still login.

Set up as follows:

Quote:
+ : dev : ALL
- : ALL : ALL
And I ssh in as my test user, who isn't in "dev", and I get in fine.

I'm running on CentOS 5.3 and I used authconfig to turn on LDAP logins, so perhaps there's some PAM-related stuff not checking the access.conf file.
 
Old 11-02-2009, 02:02 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
well naturally you need to get the full login stuff sorted before you can filter. what does "getent group dev" say? Is dev not a system group? Also you would use @dev to signify a group, as without it it just suggests a user. Having said *that* though, that still suggests that access.conf isn't being read right possibly.
 
Old 11-02-2009, 02:04 PM   #5
twk
Member
 
Registered: Feb 2002
Location: Canada
Distribution: Fedora/RHEL
Posts: 152

Rep: Reputation: 31
Quote:
Originally Posted by fantasygoat View Post
I've tried using access.conf and users can still login.

Set up as follows:



And I ssh in as my test user, who isn't in "dev", and I get in fine.

I'm running on CentOS 5.3 and I used authconfig to turn on LDAP logins, so perhaps there's some PAM-related stuff not checking the access.conf file.
Did you enable pam_access?

authconfig has a parameter "--enablepamaccess".

What does your /etc/pam.d/system-auth file look like?

You need to have "account required pam_access.so" in your system-auth

Last edited by twk; 11-02-2009 at 02:05 PM.
 
Old 11-02-2009, 02:05 PM   #6
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Original Poster
Rep: Reputation: 17
I just get the one line output, showing the contents of the LDAP server. dev isn't a local group. Adding @dev makes no difference in the access.conf file.

The sshd AllowGroups option does in fact work, but it doesn't report to the user that they can't login, it just appears that their password doesn't work. If that's the only option then I'll use it but I'd prefer they be told "login not allowed"!
 
Old 11-02-2009, 02:07 PM   #7
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by twk View Post
Did you enable pam_access?

authconfig has a parameter "--enablepamaccess".
Didn't do that.

here's my system-auth:

Quote:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
 
Old 11-02-2009, 02:10 PM   #8
twk
Member
 
Registered: Feb 2002
Location: Canada
Distribution: Fedora/RHEL
Posts: 152

Rep: Reputation: 31
Quote:
Originally Posted by fantasygoat View Post
Didn't do that.

here's my system-auth:
I think you need to add:
Code:
account required pam_access.so
right before
Code:
account required pam_unix.so broken_shadow
 
Old 11-02-2009, 02:12 PM   #9
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Original Poster
Rep: Reputation: 17
Reran authconfig with that option and it puts the account line in place. But now none of the test accounts can login!

I did:

Quote:
+ : @dev : ALL
- : ALL : ALL
In access.conf.
 
Old 11-02-2009, 02:16 PM   #10
twk
Member
 
Registered: Feb 2002
Location: Canada
Distribution: Fedora/RHEL
Posts: 152

Rep: Reputation: 31
Quote:
Originally Posted by fantasygoat View Post
Reran authconfig with that option and it puts the account line in place. But now none of the test accounts can login!

I did:



In access.conf.
You don't need "@" for the group

Code:
+:group:ALL
-:ALL:ALL
 
Old 11-02-2009, 02:19 PM   #11
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Original Poster
Rep: Reputation: 17
Perfect, exactly what I need! Thanks!
 
Old 11-02-2009, 04:06 PM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
Not come across pam access not being there by default. Checking some examples in the access.conf manpage did still ist @ notation.

As far as informing the user, I think that *IF* it matters there are ways to send data back to the user with some of the less common branching and logic modules that some people have written for PAM. Fundamentally though, security is about not disclosing unnecessary information, so not common to want to deliberately give more information back.
 
Old 11-02-2009, 04:17 PM   #13
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Original Poster
Rep: Reputation: 17
In this case, I didn't want people getting confused thinking their password was wrong. "Connection Refused" is plenty good enough.
 
Old 11-02-2009, 09:48 PM   #14
twk
Member
 
Registered: Feb 2002
Location: Canada
Distribution: Fedora/RHEL
Posts: 152

Rep: Reputation: 31
Quote:
Originally Posted by acid_kewpie View Post
Not come across pam access not being there by default. Checking some examples in the access.conf manpage did still ist @ notation.

..snip..
I think it's for NIS only. I never used NIS therefore I can't confirm that.
 
Old 11-02-2009, 11:58 PM   #15
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
Oh yeah @ is for netgroups, not groups. Sort of NIS, sort of not.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot add winXP machine to my openLDAP based domain controller. vedang Linux - Server 0 10-10-2007 12:31 AM
Linux-based Game Program Groups Dralnu Linux - Games 5 06-16-2006 05:16 AM
Website blocking w/ SUSE 9.3/KDE based on groups FrankP1973 Linux - Newbie 1 11-22-2005 02:13 PM
web based SSH login fhameed Linux - Security 1 04-26-2004 04:29 PM
SAMBA access based on NT Domain groups [using winbind] tisource Linux - Networking 1 11-24-2003 12:34 AM


All times are GMT -5. The time now is 10:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration